[jira] [Created] (SUREFIRE-2118) surefire-report xml format not compliant with xsi for test failing in all of the re-runs
Yamini created SUREFIRE-2118:
Summary: surefire-report xml format not compliant with xsi for
test failing in all of the re-runs
Key: SUREFIRE-2118
URL: https://issues.apache.org/jira/browse/SUREFIRE-2118
Project: Maven Surefire
Issue Type: Bug
Components: Junit 4.7+ (parallel) support, Maven Surefire Plugin, xml
generation
Affects Versions: 3.0.0-M7
Reporter: Yamini
We expect the format of surefire .xml report for test failing in all rerun to
be as mentioned in
[https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html]
But, I can see the following format for my run
rerunFailingTestsCount = 2
{code:java}
first failure stack trace
rerun failure stack trace
rerun failure stack trace
rerun failure
{code}
we have only one system-out in last rerunFailure.
surefire-plugin
{code:java}
org.apache.maven.plugins
maven-surefire-plugin
3.0.0-M7
org.apache.maven.surefire
surefire-junit47
3.0.0-M7
true
all
4
1C
${tests.groups}
2
{code}
Why is it not compliant? Can the issue be fixed?
Please let me know if you need any more information.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (SUREFIRE-2118) surefire-report xml format not compliant with xsi for test failing in all of the re-runs
[
https://issues.apache.org/jira/browse/SUREFIRE-2118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yamini updated SUREFIRE-2118:
-
Description:
We expect the format of surefire .xml report for test failing in all rerun to
be as mentioned in
[https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html]
But, I can see the following format for my run
rerunFailingTestsCount = 2
{code:java}
first failure stack trace
rerun failure stack trace
rerun failure stack trace
rerun failure
{code}
we have only one system-out in last rerunFailure.
surefire-plugin
{code:java}
org.apache.maven.plugins
maven-surefire-plugin
3.0.0-M7
org.apache.maven.surefire
surefire-junit47
3.0.0-M7
true
all
4
1C
${tests.groups}
2
{code}
Why is it not compliant? Can the issue be fixed?
Please let me know if you need any more information.
was:
We expect the format of surefire .xml report for test failing in all rerun to
be as mentioned in
[https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html]
But, I can see the following format for my run
rerunFailingTestsCount = 2
{code:java}
first failure stack trace
rerun failure stack trace
rerun failure stack trace
rerun failure
{code}
we have only one system-out in last rerunFailure.
surefire-plugin
{code:java}
org.apache.maven.plugins
maven-surefire-plugin
3.0.0-M7
org.apache.maven.surefire
surefire-junit47
3.0.0-M7
true
all
4
1C
${tests.groups}
2
{code}
Why is it not compliant? Can the issue be fixed?
Please let me know if you need any more information.
> surefire-report xml format not compliant with xsi for test failing in all of
> the re-runs
>
>
> Key: SUREFIRE-2118
> URL: https://issues.apache.org/jira/browse/SUREFIRE-2118
> Project: Maven Surefire
> Issue Type: Bug
> Components: Junit 4.7+ (parallel) support, Maven Surefire Plugin,
> xml generation
>Affects Versions: 3.0.0-M7
>Reporter: Yamini
>Priority: Major
>
> We expect the format of surefire .xml report for test failing in all rerun to
> be as mentioned in
> [https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html]
> But, I can see the following format for my run
> rerunFailingTestsCount = 2
> {code:java}
>
> first failure stack trace
>
> rerun failure stack trace
>
>
> rerun failure stack trace
> rerun failure
>
> {code}
> we have only one system-out in last rerunFailure.
>
> surefire-plugin
>
> {code:java}
>
> org.apache.maven.plugins
> maven-surefire-plugin
> 3.0.0-M7
>
>
> org.apache.maven.surefire
> surefire-junit47
> 3.0.0-M7
>
>
>
>
>
> true
>
> all
> 4
> 1C
> ${tests.groups}
> 2
>
> {code}
>
> Why is it not compliant? Can the issue be fixed?
> Please let me know if you need any more information.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (SUREFIRE-2118) surefire-report xml format not compliant with xsi for test failing in all of the re-runs
[
https://issues.apache.org/jira/browse/SUREFIRE-2118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yamini updated SUREFIRE-2118:
-
Description:
We expect the format of surefire .xml report for test failing in all rerun to
be as mentioned in
[https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html]
But, I can see the following format for my run
rerunFailingTestsCount = 2
{code:java}
first failure stack trace
rerun failure stack trace
rerun failure stack trace
rerun failure
{code}
we have only one system-out in last rerunFailure.
surefire-plugin
{code:java}
org.apache.maven.plugins
maven-surefire-plugin
3.0.0-M7
org.apache.maven.surefire
surefire-junit47
3.0.0-M7
true
all
4
1C
${tests.groups}
2
{code}
Why is it not compliant? Can the issue be fixed?
Please let me know if you need any more information.
was:
We expect the format of surefire .xml report for test failing in all rerun to
be as mentioned in
[https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html]
But, I can see the following format for my run
rerunFailingTestsCount = 2
{code:java}
first failure stack trace
rerun failure stack trace
rerun failure stack trace
rerun failure
{code}
we have only one system-out in last rerunFailure.
surefire-plugin
{code:java}
org.apache.maven.plugins
maven-surefire-plugin
3.0.0-M7
org.apache.maven.surefire
surefire-junit47
3.0.0-M7
true
all
4
1C
${tests.groups}
2
{code}
Why is it not compliant? Can the issue be fixed?
Please let me know if you need any more information.
> surefire-report xml format not compliant with xsi for test failing in all of
> the re-runs
>
>
> Key: SUREFIRE-2118
> URL: https://issues.apache.org/jira/browse/SUREFIRE-2118
> Project: Maven Surefire
> Issue Type: Bug
> Components: Junit 4.7+ (parallel) support, Maven Surefire Plugin,
> xml generation
>Affects Versions: 3.0.0-M7
>Reporter: Yamini
>Priority: Major
>
> We expect the format of surefire .xml report for test failing in all rerun to
> be as mentioned in
> [https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html]
> But, I can see the following format for my run
> rerunFailingTestsCount = 2
> {code:java}
>
> first failure stack trace
>
> rerun failure stack trace
>
>
> rerun failure stack trace
> rerun failure
>
> {code}
> we have only one system-out in last rerunFailure.
>
> surefire-plugin
> {code:java}
>
> org.apache.maven.plugins
> maven-surefire-plugin
> 3.0.0-M7
>
>
> org.apache.maven.surefire
> surefire-junit47
> 3.0.0-M7
>
>
>
>
>
> true
>
> all
> 4
> 1C
> ${tests.groups}
> 2
>
> {code}
>
> Why is it not compliant? Can the issue be fixed?
> Please let me know if you need any more information.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (MNG-7492) Invalid POMs are blithefully ignored
[
https://issues.apache.org/jira/browse/MNG-7492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17612969#comment-17612969
]
Michael Osipov commented on MNG-7492:
-
Still waiting...
> Invalid POMs are blithefully ignored
>
>
> Key: MNG-7492
> URL: https://issues.apache.org/jira/browse/MNG-7492
> Project: Maven
> Issue Type: Improvement
> Components: Dependencies
>Affects Versions: 3.6.3
>Reporter: Robert Krajewski
>Priority: Major
> Labels: dependency, invalid, model, transitive
> Fix For: waiting-for-feedback, wontfix-candidate
>
>
> Invalid poms prevent construction of the model's dependencies tree (and thus
> the model itself) and yet are only warnings:
> {{[WARNING] Invalid POM , transitive dependencies (if any) will not be
> available, enable debug logging for more details}}
> Once this happens, Java compiler errors often ensue and are completely
> mysterious. Debug logging will tell you why the POM is missing, but it
> doesn't stop a nonsensical model from being treated as valid. Which it's
> {*}not{*}.
> See
> https://stackoverflow.com/questions/59944898/fail-on-invalid-or-missing-poms
> for a discussion. Workarounds don't fix the issue.
> Please implement an option to make this situation fail the build in Maven 3.
> Even better, make it the default in a future version like Maven 4.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (MNGSITE-495) Clarify merging of repositories/pluginRepositories
Konrad Windszus created MNGSITE-495: --- Summary: Clarify merging of repositories/pluginRepositories Key: MNGSITE-495 URL: https://issues.apache.org/jira/browse/MNGSITE-495 Project: Maven Project Web Site Issue Type: Improvement Reporter: Konrad Windszus According to https://github.com/apache/maven/blob/2a9f39336cec1d8e52d30cc48503d51ed8672536/maven-model-builder/src/main/java/org/apache/maven/model/merge/MavenModelMerger.java#L263 repositories from child poms overwrite repositories with the same id from the parent pom completely (instead of merging them per id). As this is unexpected and different from plugin execution ids it should be clarified in https://maven.apache.org/guides/introduction/introduction-to-the-pom.html#Project_Inheritance -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (WAGON-630) Auto-update repository access tokens
Steve Mitchell created WAGON-630: Summary: Auto-update repository access tokens Key: WAGON-630 URL: https://issues.apache.org/jira/browse/WAGON-630 Project: Maven Wagon Issue Type: New Feature Components: wagon-http, wagon-http-lightweight Reporter: Steve Mitchell Support hands-free access to [repositories |https://stackoverflow.com/questions/73950826/setting-dynamic-password-from-maven]that authenticate with short-lived access tokens. When needed, call out to a configured shell script to update a configured system property with the repo's temporary password. Implementation ideas: Receive from the shell script's stdout the content of a Java properties file. Use a TTL property received from the shell script to set an expiration property – call the shell script only when the expiration property doesn't exist or will soon pass. For security, prepend a configured prefix to the name of each system property to be set. Document the configuration parameters. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (SUREFIRE-2118) surefire-report xml format not compliant with xsi for test failing in all of the re-runs
[
https://issues.apache.org/jira/browse/SUREFIRE-2118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yamini updated SUREFIRE-2118:
-
Description:
We expect the format of surefire .xml report for test failing in all rerun to
be as mentioned in
[https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html#:~:text=2)-,The%20test%20fails%20in%20all%20of%20the%20re%2Druns%3A,-failure%20and%20error]
But, I can see the following format for my run
rerunFailingTestsCount = 2
{code:java}
first failure stack trace
rerun failure stack trace
rerun failure stack trace
rerun failure
{code}
we have only one in last rerunFailure. is missing
under and first
surefire-plugin
{code:java}
org.apache.maven.plugins
maven-surefire-plugin
3.0.0-M7
org.apache.maven.surefire
surefire-junit47
3.0.0-M7
true
all
4
1C
${tests.groups}
2
{code}
Why is it not compliant? Can the issue be fixed?
Please let me know if you need any more information.
was:
We expect the format of surefire .xml report for test failing in all rerun to
be as mentioned in
[https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html]
But, I can see the following format for my run
rerunFailingTestsCount = 2
{code:java}
first failure stack trace
rerun failure stack trace
rerun failure stack trace
rerun failure
{code}
we have only one system-out in last rerunFailure.
surefire-plugin
{code:java}
org.apache.maven.plugins
maven-surefire-plugin
3.0.0-M7
org.apache.maven.surefire
surefire-junit47
3.0.0-M7
true
all
4
1C
${tests.groups}
2
{code}
Why is it not compliant? Can the issue be fixed?
Please let me know if you need any more information.
> surefire-report xml format not compliant with xsi for test failing in all of
> the re-runs
>
>
> Key: SUREFIRE-2118
> URL: https://issues.apache.org/jira/browse/SUREFIRE-2118
> Project: Maven Surefire
> Issue Type: Bug
> Components: Junit 4.7+ (parallel) support, Maven Surefire Plugin,
> xml generation
>Affects Versions: 3.0.0-M7
>Reporter: Yamini
>Priority: Major
>
> We expect the format of surefire .xml report for test failing in all rerun to
> be as mentioned in
> [https://maven.apache.org/surefire/maven-surefire-plugin/examples/rerun-failing-tests.html#:~:text=2)-,The%20test%20fails%20in%20all%20of%20the%20re%2Druns%3A,-failure%20and%20error]
>
> But, I can see the following format for my run
> rerunFailingTestsCount = 2
> {code:java}
>
> first failure stack trace
>
> rerun failure stack trace
>
>
> rerun failure stack trace
> rerun failure
>
> {code}
> we have only one in last rerunFailure. is missing
> under and first
>
> surefire-plugin
> {code:java}
>
> org.apache.maven.plugins
> maven-surefire-plugin
> 3.0.0-M7
>
>
> org.apache.maven.surefire
> surefire-junit47
> 3.0.0-M7
>
>
>
>
>
> true
>
> all
> 4
> 1C
> ${tests.groups}
> 2
>
> {code}
>
> Why is it not compliant? Can the issue be fixed?
> Please let me know if you need any more information.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (MPOM-346) publish SBOM on release
Herve Boutemy created MPOM-346: -- Summary: publish SBOM on release Key: MPOM-346 URL: https://issues.apache.org/jira/browse/MPOM-346 Project: Maven POMs Issue Type: New Feature Components: asf Affects Versions: ASF-27 Reporter: Herve Boutemy like done in common-parent https://github.com/apache/commons-parent/commit/a60b06a7fab971e9479e5966fb692290f14588fc -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MNG-7549) Upgrade Core ITs to Maven Verifier 2.0.0-M1
[ https://issues.apache.org/jira/browse/MNG-7549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613040#comment-17613040 ] Hudson commented on MNG-7549: - Build succeeded in Jenkins: Maven » Maven TLP » maven » maven-3.9.x #74 See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/maven-3.9.x/74/ > Upgrade Core ITs to Maven Verifier 2.0.0-M1 > --- > > Key: MNG-7549 > URL: https://issues.apache.org/jira/browse/MNG-7549 > Project: Maven > Issue Type: Dependency upgrade > Components: Integration Tests >Reporter: Michael Osipov >Assignee: Michael Osipov >Priority: Major > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (MPOM-346) publish SBOM on release
[ https://issues.apache.org/jira/browse/MPOM-346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Herve Boutemy updated MPOM-346: --- Description: like done in common-parent https://github.com/apache/commons-parent/pull/122 (was: like done in common-parent https://github.com/apache/commons-parent/commit/a60b06a7fab971e9479e5966fb692290f14588fc) > publish SBOM on release > --- > > Key: MPOM-346 > URL: https://issues.apache.org/jira/browse/MPOM-346 > Project: Maven POMs > Issue Type: New Feature > Components: asf >Affects Versions: ASF-27 >Reporter: Herve Boutemy >Priority: Major > > like done in common-parent https://github.com/apache/commons-parent/pull/122 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (MPOM-346) publish SBOM on release
[ https://issues.apache.org/jira/browse/MPOM-346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Herve Boutemy updated MPOM-346: --- Description: like done in commons-parent https://github.com/apache/commons-parent/pull/122 (was: like done in common-parent https://github.com/apache/commons-parent/pull/122) > publish SBOM on release > --- > > Key: MPOM-346 > URL: https://issues.apache.org/jira/browse/MPOM-346 > Project: Maven POMs > Issue Type: New Feature > Components: asf >Affects Versions: ASF-27 >Reporter: Herve Boutemy >Priority: Major > > like done in commons-parent https://github.com/apache/commons-parent/pull/122 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Closed] (MEAR-318) Require Maven 3.2.5
[ https://issues.apache.org/jira/browse/MEAR-318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Slawomir Jaranowski closed MEAR-318. Resolution: Fixed > Require Maven 3.2.5 > --- > > Key: MEAR-318 > URL: https://issues.apache.org/jira/browse/MEAR-318 > Project: Maven EAR Plugin > Issue Type: Dependency upgrade >Reporter: Slawomir Jaranowski >Assignee: Slawomir Jaranowski >Priority: Major > Fix For: 3.3.0 > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Closed] (MEAR-317) Bump maven-shared-utils from 3.3.3 to 3.3.4
[ https://issues.apache.org/jira/browse/MEAR-317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Slawomir Jaranowski closed MEAR-317. Resolution: Fixed > Bump maven-shared-utils from 3.3.3 to 3.3.4 > --- > > Key: MEAR-317 > URL: https://issues.apache.org/jira/browse/MEAR-317 > Project: Maven EAR Plugin > Issue Type: Dependency upgrade >Reporter: Slawomir Jaranowski >Assignee: Slawomir Jaranowski >Priority: Major > Fix For: 3.3.0 > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MEAR-318) Require Maven 3.2.5
[ https://issues.apache.org/jira/browse/MEAR-318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613122#comment-17613122 ] Hudson commented on MEAR-318: - Build unstable in Jenkins: Maven » Maven TLP » maven-ear-plugin » master #27 See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-ear-plugin/job/master/27/ > Require Maven 3.2.5 > --- > > Key: MEAR-318 > URL: https://issues.apache.org/jira/browse/MEAR-318 > Project: Maven EAR Plugin > Issue Type: Dependency upgrade >Reporter: Slawomir Jaranowski >Assignee: Slawomir Jaranowski >Priority: Major > Fix For: 3.3.0 > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MEAR-298) Improving EAR packaging performance with ZipFileSystem
[ https://issues.apache.org/jira/browse/MEAR-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613125#comment-17613125 ] Slawomir Jaranowski commented on MEAR-298: -- [~peteruhnak] PR are always welcome. Yes I know ... some time is elapsed from issues creation :) Idea to not repacking whole artifact looks very good. > Improving EAR packaging performance with ZipFileSystem > -- > > Key: MEAR-298 > URL: https://issues.apache.org/jira/browse/MEAR-298 > Project: Maven EAR Plugin > Issue Type: Improvement >Reporter: Peter Uhnak >Priority: Minor > > Hi, I was exploring performance around the ear packaging on Windows, and > found a major bottleneck in the `EarMojo#changeManifestClasspath`. > The current implementation always unpacks and then re-packs all its modules > to check/make manifest.mf changes, and remove jars if necessary (skinnyWars). > On Windows, this is extra costly for modules with too many small files (e.g. > war). Plus the extra time of uncompressing/compressing. (This also changes > the war's compression, if configured in the maven-war-plugin). > I have a working implementation using nio ZipFileSystem which performs all > changes directly in the zip, so I can make a PR. > For our projects I'm seeing 70-90+% perf improvements (or rather > near-constant time vs time increasing with the size of the modules). > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Closed] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Slawomir Jaranowski closed MWRAPPER-75. --- Fix Version/s: 3.2.0 Resolution: Fixed > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613128#comment-17613128 ] Hudson commented on MWRAPPER-75: Build failed in Jenkins: Maven » Maven TLP » maven-wrapper » master #48 See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-wrapper/job/master/48/ > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-filtering] slawekjaranowski closed pull request #51: Bump slf4jVersion from 1.7.36 to 2.0.3
slawekjaranowski closed pull request #51: Bump slf4jVersion from 1.7.36 to 2.0.3 URL: https://github.com/apache/maven-filtering/pull/51 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] dependabot[bot] commented on pull request #54: Bump slf4j-simple from 1.7.36 to 2.0.3
dependabot[bot] commented on PR #54: URL: https://github.com/apache/maven-verifier/pull/54#issuecomment-1264658619 OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting `@dependabot ignore this major version` or `@dependabot ignore this minor version`. You can also ignore all major, minor, or patch releases for a dependency by adding an [`ignore` condition](https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#ignore) with the desired `update_types` to your config file. If you change your mind, just re-open this PR and I'll resolve any conflicts on it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] slawekjaranowski closed pull request #54: Bump slf4j-simple from 1.7.36 to 2.0.3
slawekjaranowski closed pull request #54: Bump slf4j-simple from 1.7.36 to 2.0.3 URL: https://github.com/apache/maven-verifier/pull/54 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-script-interpreter] slawekjaranowski closed pull request #80: Bump slf4j.version from 1.7.36 to 2.0.3
slawekjaranowski closed pull request #80: Bump slf4j.version from 1.7.36 to 2.0.3 URL: https://github.com/apache/maven-script-interpreter/pull/80 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-filtering] dependabot[bot] commented on pull request #51: Bump slf4jVersion from 1.7.36 to 2.0.3
dependabot[bot] commented on PR #51: URL: https://github.com/apache/maven-filtering/pull/51#issuecomment-1264658876 OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an [`ignore` condition](https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#ignore) with the desired `update_types` to your config file. If you change your mind, just re-open this PR and I'll resolve any conflicts on it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-script-interpreter] dependabot[bot] commented on pull request #80: Bump slf4j.version from 1.7.36 to 2.0.3
dependabot[bot] commented on PR #80: URL: https://github.com/apache/maven-script-interpreter/pull/80#issuecomment-1264659428 OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an [`ignore` condition](https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#ignore) with the desired `update_types` to your config file. If you change your mind, just re-open this PR and I'll resolve any conflicts on it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-mvnd] theit opened a new pull request, #699: Fix for JUnit test failing on Windows
theit opened a new pull request, #699: URL: https://github.com/apache/maven-mvnd/pull/699 Fixes #695 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-mvnd] theit commented on issue #695: Possible problem when resizing the daemon registry
theit commented on issue #695: URL: https://github.com/apache/maven-mvnd/issues/695#issuecomment-1264669773 Yes, sure. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] slawekjaranowski commented on a diff in pull request #55: Deprecate multivariant constructors for removal
slawekjaranowski commented on code in PR #55:
URL: https://github.com/apache/maven-verifier/pull/55#discussion_r985248420
##
src/main/java/org/apache/maven/shared/verifier/Verifier.java:
##
@@ -115,87 +115,195 @@
private static MavenLauncher embeddedLauncher;
+private String settingsFile;
+
+private boolean debug;
+
public Verifier( String basedir )
throws VerificationException
{
-this( basedir, null );
+this.basedir = basedir;
+
+this.forkMode = System.getProperty( "verifier.forkMode" );
+
+findLocalRepo( settingsFile );
+
+this.mavenHome = System.getProperty( "maven.home" );
+
+useWrapper = Files.exists( Paths.get( getBasedir(), "mvnw" ) );
+
+this.defaultCliArguments = DEFAULT_CLI_ARGUMENTS.clone();
+
}
+/**
+*
+* @deprecated to be removed
+* use {@link #Verifier(String basedir)}
+ *
+* */
+@Deprecated
public Verifier( String basedir, boolean debug )
throws VerificationException
{
-this( basedir, null, debug );
+this( basedir );
+setDebug( debug );
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)}
+ * use {@link #setSettingsFile(String settingsFile)} to set settings file
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile )
throws VerificationException
{
-this( basedir, settingsFile, false );
+this( basedir );
+setSettingsFile( settingsFile );
+
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)}
+ * and {@link #setSettingsFile(String settingsFile)} to set settings file
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug )
throws VerificationException
{
-this( basedir, settingsFile, debug, DEFAULT_CLI_ARGUMENTS );
+this( basedir );
+setSettingsFile( settingsFile );
+setDebug( debug );
+
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)},
+ * {@link #setSettingsFile(String settingsFile)} to set settings file
+ * and {@link #setDefaultCliArguments(String[] defaultCliArguments)} to
set default cliArguments
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug,
String[] defaultCliArguments )
throws VerificationException
{
-this( basedir, settingsFile, debug, null, defaultCliArguments );
+this( basedir );
+setSettingsFile( settingsFile );
+setDebug( debug );
+setMavenHome( null );
+setDefaultCliArguments( defaultCliArguments );
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String)},
+ * {@link #setSettingsFile(String)} to set settings file
+ * and {@link #setForkJvm(Boolean)} to set forkJvm status
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug,
boolean forkJvm )
throws VerificationException
{
-this( basedir, settingsFile, debug, forkJvm, DEFAULT_CLI_ARGUMENTS );
+this( basedir );
+setSettingsFile( settingsFile );
+setDebug( debug );
+setForkJvm( forkJvm );
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)},
+ *{@link #setSettingsFile(String settingsFile)} to set settings file,
+ *{@link #setForkJvm(Boolean)} to set forkJvm status and
+ * use {@link #setDefaultCliArguments(String[] defaultCliArguments)} to
set settings file
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug,
boolean forkJvm, String[] defaultCliArguments )
throws VerificationException
{
-this( basedir, settingsFile, debug, forkJvm, defaultCliArguments, null
);
+this( basedir );
+setSettingsFile( basedir );
+setDebug( debug );
+setForkJvm( forkJvm );
+setDefaultCliArguments( defaultCliArguments );
+setMavenHome( null );
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)},
+ * {@link #setSettingsFile(String settingsFile)} to set settings file
+ * and {@link #setMavenHome(String mavenHome)} to set maven home
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug,
String mavenHome )
throws VerificationException
{
-this( basedir, settingsFile, debug, null, DEFAULT_CLI_ARGUMENTS,
mavenHome );
+this( basedir );
+setForkJvm( null );
Review Comment:
Is it needed?
##
src/main/java/org/apache/maven/shared/verifier/Verifier.java:
##
@@ -115,87 +115,195 @@
[GitHub] [maven-verifier] adekzs commented on a diff in pull request #55: Deprecate multivariant constructors for removal
adekzs commented on code in PR #55:
URL: https://github.com/apache/maven-verifier/pull/55#discussion_r985251218
##
src/main/java/org/apache/maven/shared/verifier/Verifier.java:
##
@@ -115,87 +115,195 @@
private static MavenLauncher embeddedLauncher;
+private String settingsFile;
+
+private boolean debug;
+
public Verifier( String basedir )
throws VerificationException
{
-this( basedir, null );
+this.basedir = basedir;
+
+this.forkMode = System.getProperty( "verifier.forkMode" );
+
+findLocalRepo( settingsFile );
+
+this.mavenHome = System.getProperty( "maven.home" );
+
+useWrapper = Files.exists( Paths.get( getBasedir(), "mvnw" ) );
+
+this.defaultCliArguments = DEFAULT_CLI_ARGUMENTS.clone();
+
}
+/**
+*
+* @deprecated to be removed
+* use {@link #Verifier(String basedir)}
+ *
+* */
+@Deprecated
public Verifier( String basedir, boolean debug )
throws VerificationException
{
-this( basedir, null, debug );
+this( basedir );
+setDebug( debug );
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)}
+ * use {@link #setSettingsFile(String settingsFile)} to set settings file
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile )
throws VerificationException
{
-this( basedir, settingsFile, false );
+this( basedir );
+setSettingsFile( settingsFile );
+
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)}
+ * and {@link #setSettingsFile(String settingsFile)} to set settings file
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug )
throws VerificationException
{
-this( basedir, settingsFile, debug, DEFAULT_CLI_ARGUMENTS );
+this( basedir );
+setSettingsFile( settingsFile );
+setDebug( debug );
+
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)},
+ * {@link #setSettingsFile(String settingsFile)} to set settings file
+ * and {@link #setDefaultCliArguments(String[] defaultCliArguments)} to
set default cliArguments
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug,
String[] defaultCliArguments )
throws VerificationException
{
-this( basedir, settingsFile, debug, null, defaultCliArguments );
+this( basedir );
+setSettingsFile( settingsFile );
+setDebug( debug );
+setMavenHome( null );
+setDefaultCliArguments( defaultCliArguments );
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String)},
+ * {@link #setSettingsFile(String)} to set settings file
+ * and {@link #setForkJvm(Boolean)} to set forkJvm status
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug,
boolean forkJvm )
throws VerificationException
{
-this( basedir, settingsFile, debug, forkJvm, DEFAULT_CLI_ARGUMENTS );
+this( basedir );
+setSettingsFile( settingsFile );
+setDebug( debug );
+setForkJvm( forkJvm );
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)},
+ *{@link #setSettingsFile(String settingsFile)} to set settings file,
+ *{@link #setForkJvm(Boolean)} to set forkJvm status and
+ * use {@link #setDefaultCliArguments(String[] defaultCliArguments)} to
set settings file
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug,
boolean forkJvm, String[] defaultCliArguments )
throws VerificationException
{
-this( basedir, settingsFile, debug, forkJvm, defaultCliArguments, null
);
+this( basedir );
+setSettingsFile( basedir );
+setDebug( debug );
+setForkJvm( forkJvm );
+setDefaultCliArguments( defaultCliArguments );
+setMavenHome( null );
}
+/**
+ *
+ * @deprecated to be removed
+ * use {@link #Verifier(String basedir)},
+ * {@link #setSettingsFile(String settingsFile)} to set settings file
+ * and {@link #setMavenHome(String mavenHome)} to set maven home
+ *
+ * */
+@Deprecated
public Verifier( String basedir, String settingsFile, boolean debug,
String mavenHome )
throws VerificationException
{
-this( basedir, settingsFile, debug, null, DEFAULT_CLI_ARGUMENTS,
mavenHome );
+this( basedir );
+setForkJvm( null );
+setDebug( debug );
+setSettingsFile( settingsFile );
+setMavenHome( mavenHome );
}
+/**
+ *
+ * @deprecated to
[GitHub] [maven] gnodet opened a new pull request, #808: Replace Properties with Map
gnodet opened a new pull request, #808: URL: https://github.com/apache/maven/pull/808 Remove properties from the v4 model and use Map instead -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] raphw commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264726403 Alright, I got hold of a Windows machine. I did the final clean ups without one and of course I broke things after they already worked. Now it should be functional again. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-dependency-analyzer] gnodet opened a new pull request, #69: Switch to maven 4 and the new api
gnodet opened a new pull request, #69: URL: https://github.com/apache/maven-dependency-analyzer/pull/69 Switch to maven 4 and the new api -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] szpak commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
szpak commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264734631 @raphw Unfortunately, there still seems to be some problems on Windows :-/ https://github.com/apache/maven-wrapper/actions/runs/3169982576/jobs/5162469060#step:8:2570 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] slawekjaranowski commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
slawekjaranowski commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264738379 Only one test is failing: `sha256_type_only-script` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] slawekjaranowski commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
slawekjaranowski commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264745343 More investigation is need here, eg you use in IT tests ``` distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb wrapperSha256Sum =7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb ``` I see the same value of hash for wrapper jar and for Maven distribution ... I miss something. - Currently IT test use the latest Maven versions, so what will be happen when new version of Maven will be released - Wrapper jar under test is one of produced by current build, next build can produce another file ... - Wrapper jar contains eg in MANIFEST.MF information abut jdk used by build ... so when we have the same hash test should filed I not checked it yet ... I only starting to think ... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] raphw commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264750025 > I see the same value of hash for wrapper jar and for Maven distribution ... I miss something. To avoid such dependencies, the tests check for a checksum mismatch. The SHA-256 is not matching any Maven file. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] raphw commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264750306 > @raphw Unfortunately, there still seem to be some problems on Windows :-/ https://github.com/apache/maven-wrapper/actions/runs/3169982576/jobs/5162469060#step:8:2570 I only ran the script on a Windows machine but forgot that there are two. Now it works, hopefully. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613136#comment-17613136 ] ASF GitHub Bot commented on MWRAPPER-75: raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264726403 Alright, I got hold of a Windows machine. I did the final clean ups without one and of course I broke things after they already worked. Now it should be functional again. > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613137#comment-17613137 ] ASF GitHub Bot commented on MWRAPPER-75: szpak commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264734631 @raphw Unfortunately, there still seems to be some problems on Windows :-/ https://github.com/apache/maven-wrapper/actions/runs/3169982576/jobs/5162469060#step:8:2570 > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613144#comment-17613144 ] ASF GitHub Bot commented on MWRAPPER-75: raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264750025 > I see the same value of hash for wrapper jar and for Maven distribution ... I miss something. To avoid such dependencies, the tests check for a checksum mismatch. The SHA-256 is not matching any Maven file. > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613139#comment-17613139 ] ASF GitHub Bot commented on MWRAPPER-75: slawekjaranowski commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264738379 Only one test is failing: `sha256_type_only-script` > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WAGON-630) Auto-update repository access tokens
[ https://issues.apache.org/jira/browse/WAGON-630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613142#comment-17613142 ] Michael Osipov commented on WAGON-630: -- This sounds like a totally custom solution. It might be better to add a custom auth scheme or interceptor to the HttpClient. > Auto-update repository access tokens > > > Key: WAGON-630 > URL: https://issues.apache.org/jira/browse/WAGON-630 > Project: Maven Wagon > Issue Type: New Feature > Components: wagon-http, wagon-http-lightweight >Reporter: Steve Mitchell >Priority: Major > > Support hands-free access to [repositories > |https://stackoverflow.com/questions/73950826/setting-dynamic-password-from-maven]that > authenticate with short-lived access tokens. When needed, call out to a > configured shell script to update a configured system property with the > repo's temporary password. > Implementation ideas: Receive from the shell script's stdout the content of a > Java properties file. Use a TTL property received from the shell script to > set an expiration property – call the shell script only when the expiration > property doesn't exist or will soon pass. For security, prepend a configured > prefix to the name of each system property to be set. > Document the configuration parameters. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613141#comment-17613141 ] ASF GitHub Bot commented on MWRAPPER-75: slawekjaranowski commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264745343 More investigation is need here, eg you use in IT tests ``` distributionSha256Sum=7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb wrapperSha256Sum =7e0c63c6a99639e57cc64375d6717d72e301d8ab829fef2e145ee860317bc3cb ``` I see the same value of hash for wrapper jar and for Maven distribution ... I miss something. - Currently IT test use the latest Maven versions, so what will be happen when new version of Maven will be released - Wrapper jar under test is one of produced by current build, next build can produce another file ... - Wrapper jar contains eg in MANIFEST.MF information abut jdk used by build ... so when we have the same hash test should filed I not checked it yet ... I only starting to think ... > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613145#comment-17613145 ] ASF GitHub Bot commented on MWRAPPER-75: raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1264750306 > @raphw Unfortunately, there still seem to be some problems on Windows :-/ https://github.com/apache/maven-wrapper/actions/runs/3169982576/jobs/5162469060#step:8:2570 I only ran the script on a Windows machine but forgot that there are two. Now it works, hopefully. > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-dependency-plugin] elharo opened a new pull request, #254: spelling
elharo opened a new pull request, #254: URL: https://github.com/apache/maven-dependency-plugin/pull/254 @slachiewicz licence (two c's) is only used for nouns. The verb license always has an s, even in countries that spell the noun with two c's -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-dependency-analyzer] dependabot[bot] opened a new pull request, #70: Bump asm from 9.3 to 9.4
dependabot[bot] opened a new pull request, #70: URL: https://github.com/apache/maven-dependency-analyzer/pull/70 Bumps asm from 9.3 to 9.4. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-indexer] dependabot[bot] commented on pull request #233: Bump lucene.version from 9.2.0 to 9.3.0
dependabot[bot] commented on PR #233: URL: https://github.com/apache/maven-indexer/pull/233#issuecomment-1264902733 Superseded by #249. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-shade-plugin] dependabot[bot] opened a new pull request, #156: Bump asmVersion from 9.3 to 9.4
dependabot[bot] opened a new pull request, #156: URL: https://github.com/apache/maven-shade-plugin/pull/156 Bumps `asmVersion` from 9.3 to 9.4. Updates `asm` from 9.3 to 9.4 Updates `asm-commons` from 9.3 to 9.4 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-indexer] dependabot[bot] closed pull request #233: Bump lucene.version from 9.2.0 to 9.3.0
dependabot[bot] closed pull request #233: Bump lucene.version from 9.2.0 to 9.3.0 URL: https://github.com/apache/maven-indexer/pull/233 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-indexer] dependabot[bot] commented on pull request #243: Bump logback.version from 1.2.11 to 1.4.1
dependabot[bot] commented on PR #243: URL: https://github.com/apache/maven-indexer/pull/243#issuecomment-1264902826 Superseded by #250. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-indexer] dependabot[bot] opened a new pull request, #250: Bump logback.version from 1.2.11 to 1.4.3
dependabot[bot] opened a new pull request, #250: URL: https://github.com/apache/maven-indexer/pull/250 Bumps `logback.version` from 1.2.11 to 1.4.3. Updates `logback-classic` from 1.2.11 to 1.4.3 Commits https://github.com/qos-ch/logback/commit/7a7ffa63d705509f0c5d0b7aa91e0b23900e45c7";>7a7ffa6 prepare release 1.4.3 https://github.com/qos-ch/logback/commit/b2476240ce301e2e6efd5c18d9527259904ba252";>b247624 fix LOGBACK-LOGBACK-1690 https://github.com/qos-ch/logback/commit/6f588feb2f5fdcd1eb1e7ad3b3e81d18f0f83355";>6f588fe start work on 1.4.3-SNAPSHOT https://github.com/qos-ch/logback/commit/22822738d517378ad79653741b7f2e3aad9859e9";>2282273 prepare release 1.4.2 https://github.com/qos-ch/logback/commit/fc78b867aa25efe324cb3e185f171c8bd029d8ce";>fc78b86 fix LOGBACK-1689 https://github.com/qos-ch/logback/commit/967d736f72ac875e6c58d983dc3530e3c54206eb";>967d736 logback-access cannot be modularized at this stage https://github.com/qos-ch/logback/commit/74a44b922168d86363b6bbc3322543ed66ae5d39";>74a44b9 move disabled tests to logback-classic-blackbox https://github.com/qos-ch/logback/commit/c3d75b27d8d3076fa25b5d554231f11424f6ff51";>c3d75b2 re-enabling temporarily disabled tests by virtue of their move to logback-cla... https://github.com/qos-ch/logback/commit/c3363071fb62aefa312e8e565b283dbbc463d980";>c336307 started black box testing https://github.com/qos-ch/logback/commit/f22db3f8a4546b3a13449292a2b2def6dc7b08bd";>f22db3f all tests pass with Junit 5, Janino tests were disabled Additional commits viewable in https://github.com/qos-ch/logback/compare/v_1.2.11...v_1.4.3";>compare view Updates `logback-core` from 1.2.11 to 1.4.3 Commits https://github.com/qos-ch/logback/commit/7a7ffa63d705509f0c5d0b7aa91e0b23900e45c7";>7a7ffa6 prepare release 1.4.3 https://github.com/qos-ch/logback/commit/b2476240ce301e2e6efd5c18d9527259904ba252";>b247624 fix LOGBACK-LOGBACK-1690 https://github.com/qos-ch/logback/commit/6f588feb2f5fdcd1eb1e7ad3b3e81d18f0f83355";>6f588fe start work on 1.4.3-SNAPSHOT https://github.com/qos-ch/logback/commit/22822738d517378ad79653741b7f2e3aad9859e9";>2282273 prepare release 1.4.2 https://github.com/qos-ch/logback/commit/fc78b867aa25efe324cb3e185f171c8bd029d8ce";>fc78b86 fix LOGBACK-1689 https://github.com/qos-ch/logback/commit/967d736f72ac875e6c58d983dc3530e3c54206eb";>967d736 logback-access cannot be modularized at this stage https://github.com/qos-ch/logback/commit/74a44b922168d86363b6bbc3322543ed66ae5d39";>74a44b9 move disabled tests to logback-classic-blackbox https://github.com/qos-ch/logback/commit/c3d75b27d8d3076fa25b5d554231f11424f6ff51";>c3d75b2 re-enabling temporarily disabled tests by virtue of their move to logback-cla... https://github.com/qos-ch/logback/commit/c3363071fb62aefa312e8e565b283dbbc463d980";>c336307 started black box testing https://github.com/qos-ch/logback/commit/f22db3f8a4546b3a13449292a2b2def6dc7b08bd";>f22db3f all tests pass with Junit 5, Janino tests were disabled Additional commits viewable in https://github.com/qos-ch/logback/compare/v_1.2.11...v_1.4.3";>compare view Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries abou
[GitHub] [maven-indexer] dependabot[bot] closed pull request #243: Bump logback.version from 1.2.11 to 1.4.1
dependabot[bot] closed pull request #243: Bump logback.version from 1.2.11 to 1.4.1 URL: https://github.com/apache/maven-indexer/pull/243 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-help-plugin] dependabot[bot] opened a new pull request, #73: Bump asm from 9.3 to 9.4
dependabot[bot] opened a new pull request, #73: URL: https://github.com/apache/maven-help-plugin/pull/73 Bumps asm from 9.3 to 9.4. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-help-plugin] dependabot[bot] opened a new pull request, #74: Bump asm-commons from 9.3 to 9.4
dependabot[bot] opened a new pull request, #74: URL: https://github.com/apache/maven-help-plugin/pull/74 Bumps asm-commons from 9.3 to 9.4. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-indexer] dependabot[bot] opened a new pull request, #249: Bump lucene.version from 9.2.0 to 9.4.0
dependabot[bot] opened a new pull request, #249: URL: https://github.com/apache/maven-indexer/pull/249 Bumps `lucene.version` from 9.2.0 to 9.4.0. Updates `lucene-core` from 9.2.0 to 9.4.0 Updates `lucene-queryparser` from 9.2.0 to 9.4.0 Updates `lucene-analysis-common` from 9.2.0 to 9.4.0 Updates `lucene-highlighter` from 9.2.0 to 9.4.0 Updates `lucene-backward-codecs` from 9.2.0 to 9.4.0 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-dependency-plugin] slachiewicz merged pull request #254: spelling
slachiewicz merged PR #254: URL: https://github.com/apache/maven-dependency-plugin/pull/254 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-mvnd] gnodet merged pull request #699: Fix for JUnit test failing on Windows
gnodet merged PR #699: URL: https://github.com/apache/maven-mvnd/pull/699 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-mvnd] gnodet closed issue #695: Possible problem when resizing the daemon registry
gnodet closed issue #695: Possible problem when resizing the daemon registry URL: https://github.com/apache/maven-mvnd/issues/695 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-resolver] cstamas commented on pull request #199: [MRESOLVER-269] [MRESOLVER-275] Trusted checksums source and more compact format backed source
cstamas commented on PR #199: URL: https://github.com/apache/maven-resolver/pull/199#issuecomment-1265038787 > Yet another question: It is worthwhile to enable it by default and add checksums on the fly when they are present? This could be similar as "record" functionality is for remote repository filter feature. Yes, it could be possible, but unsure is it worths it: the whole idea of this is to get checksums for _other trusted source_ than remote... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] raphw commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265059184 Missed to update the printed error message from the wrapper application this time. Fixed this now. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-resolver] cstamas commented on a diff in pull request #199: [MRESOLVER-269] [MRESOLVER-275] Trusted checksums source and more compact format backed source
cstamas commented on code in PR #199:
URL: https://github.com/apache/maven-resolver/pull/199#discussion_r985443290
##
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/SparseFileTrustedChecksumsSource.java:
##
@@ -0,0 +1,125 @@
+package org.eclipse.aether.internal.impl.checksum;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.eclipse.aether.RepositorySystemSession;
+import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.internal.impl.LocalPathComposer;
+import org.eclipse.aether.repository.ArtifactRepository;
+import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory;
+import org.eclipse.aether.spi.io.FileProcessor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import static java.util.Objects.requireNonNull;
+
+/**
+ * Sparse file {@link FileTrustedChecksumsSourceSupport} implementation that
use specified directory as base
+ * directory, where it expects artifacts checksums on standard Maven2 "local"
layout. This implementation uses Artifact
+ * coordinates solely to form path from basedir, pretty much as Maven local
repository does.
+ *
+ * The source may be configured to be "origin aware", in that case it will
factor in origin repository ID as well into
+ * base directory name (for example ".checksums/central/...").
Review Comment:
LocalPathPrefixComposer is a component, and in that case we could have it
behave same as LRM. In other words, if you "split" LRM you'd need to split this
one as well, and other way around. I don't see the two "same".
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [maven-resolver] cstamas commented on pull request #199: [MRESOLVER-269] [MRESOLVER-275] Trusted checksums source and more compact format backed source
cstamas commented on PR #199: URL: https://github.com/apache/maven-resolver/pull/199#issuecomment-1265103866 > Yet another issue with the `.enabled`: I think this is again inconsistent with our existing boolean properties: https://maven.apache.org/resolver/configuration.html They use the name as boolean property with a default value. So to apply this appoach `.enabled` just can be dropped and its parent used. This is fixed now. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MRESOLVER-269) Allow more compact storage of provided checksums
[ https://issues.apache.org/jira/browse/MRESOLVER-269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613161#comment-17613161 ] ASF GitHub Bot commented on MRESOLVER-269: -- cstamas commented on PR #199: URL: https://github.com/apache/maven-resolver/pull/199#issuecomment-1265038787 > Yet another question: It is worthwhile to enable it by default and add checksums on the fly when they are present? This could be similar as "record" functionality is for remote repository filter feature. Yes, it could be possible, but unsure is it worths it: the whole idea of this is to get checksums for _other trusted source_ than remote... > Allow more compact storage of provided checksums > > > Key: MRESOLVER-269 > URL: https://issues.apache.org/jira/browse/MRESOLVER-269 > Project: Maven Resolver > Issue Type: Improvement > Components: Resolver >Reporter: Rafael Winterhalter >Assignee: Tamás Cservenák >Priority: Major > Fix For: resolver-next > > > While the repository layout makes sense for storage outside of a project, it > would be more convenient to store checksums in a single file (per algorithm) > when keeping checksums along when storing these checksums within a project. > This makes the storage easier to version control and avoids the overhead of > storing a lot of files in version control what often creates some overhead. > Ideally, Maven could support such files out of the box by shipping a provider > for such files. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MRESOLVER-269) Allow more compact storage of provided checksums
[
https://issues.apache.org/jira/browse/MRESOLVER-269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613164#comment-17613164
]
ASF GitHub Bot commented on MRESOLVER-269:
--
cstamas commented on code in PR #199:
URL: https://github.com/apache/maven-resolver/pull/199#discussion_r985443290
##
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/SparseFileTrustedChecksumsSource.java:
##
@@ -0,0 +1,125 @@
+package org.eclipse.aether.internal.impl.checksum;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.eclipse.aether.RepositorySystemSession;
+import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.internal.impl.LocalPathComposer;
+import org.eclipse.aether.repository.ArtifactRepository;
+import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory;
+import org.eclipse.aether.spi.io.FileProcessor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import static java.util.Objects.requireNonNull;
+
+/**
+ * Sparse file {@link FileTrustedChecksumsSourceSupport} implementation that
use specified directory as base
+ * directory, where it expects artifacts checksums on standard Maven2 "local"
layout. This implementation uses Artifact
+ * coordinates solely to form path from basedir, pretty much as Maven local
repository does.
+ *
+ * The source may be configured to be "origin aware", in that case it will
factor in origin repository ID as well into
+ * base directory name (for example ".checksums/central/...").
Review Comment:
LocalPathPrefixComposer is a component, and in that case we could have it
behave same as LRM. In other words, if you "split" LRM you'd need to split this
one as well, and other way around. I don't see the two "same".
> Allow more compact storage of provided checksums
>
>
> Key: MRESOLVER-269
> URL: https://issues.apache.org/jira/browse/MRESOLVER-269
> Project: Maven Resolver
> Issue Type: Improvement
> Components: Resolver
>Reporter: Rafael Winterhalter
>Assignee: Tamás Cservenák
>Priority: Major
> Fix For: resolver-next
>
>
> While the repository layout makes sense for storage outside of a project, it
> would be more convenient to store checksums in a single file (per algorithm)
> when keeping checksums along when storing these checksums within a project.
> This makes the storage easier to version control and avoids the overhead of
> storing a lot of files in version control what often creates some overhead.
> Ideally, Maven could support such files out of the box by shipping a provider
> for such files.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[GitHub] [maven-mvnd] galegofer opened a new issue, #701: mvndaemon 0.8.1 not at Chocolatey repo
galegofer opened a new issue, #701: URL: https://github.com/apache/maven-mvnd/issues/701 I can see that the 0.8.1 release is around 14 days old, but it is still not available at Chocolatey https://community.chocolatey.org/packages/mvndaemon/ (only 0.8.0) Is there any intention to make it available there? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MRESOLVER-269) Allow more compact storage of provided checksums
[ https://issues.apache.org/jira/browse/MRESOLVER-269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613168#comment-17613168 ] ASF GitHub Bot commented on MRESOLVER-269: -- cstamas commented on PR #199: URL: https://github.com/apache/maven-resolver/pull/199#issuecomment-1265103866 > Yet another issue with the `.enabled`: I think this is again inconsistent with our existing boolean properties: https://maven.apache.org/resolver/configuration.html They use the name as boolean property with a default value. So to apply this appoach `.enabled` just can be dropped and its parent used. This is fixed now. > Allow more compact storage of provided checksums > > > Key: MRESOLVER-269 > URL: https://issues.apache.org/jira/browse/MRESOLVER-269 > Project: Maven Resolver > Issue Type: Improvement > Components: Resolver >Reporter: Rafael Winterhalter >Assignee: Tamás Cservenák >Priority: Major > Fix For: resolver-next > > > While the repository layout makes sense for storage outside of a project, it > would be more convenient to store checksums in a single file (per algorithm) > when keeping checksums along when storing these checksums within a project. > This makes the storage easier to version control and avoids the overhead of > storing a lot of files in version control what often creates some overhead. > Ideally, Maven could support such files out of the box by shipping a provider > for such files. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613162#comment-17613162 ] ASF GitHub Bot commented on MWRAPPER-75: raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265059184 Missed to update the printed error message from the wrapper application this time. Fixed this now. > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven] pzygielo opened a new pull request, #809: Consider inactive profiles for validation
pzygielo opened a new pull request, #809: URL: https://github.com/apache/maven/pull/809 I propose this cosmetic (key change is in new line 485, two other changes - CS:LineLength). This allows to deactivate profiles from settings and from pom with the same id, and avoid confusing warning: ``` $ mvn -P \!XYZ verify ... [WARNING] The requested profile "XYZ" could not be activated because it does not exist. ... ``` Similar issues - MNG-7211 (done in unspecified version, while MNG-7051 fixed in v4) --- Following this checklist to help us incorporate your contribution quickly and easily: - [ ] Make sure there is a [JIRA issue](https://issues.apache.org/jira/browse/MNG) filed for the change (usually before you start working on it). Trivial changes like typos do not require a JIRA issue. Your pull request should address just this issue, without pulling in other changes. - [ ] Each commit in the pull request should have a meaningful subject line and body. - [ ] Format the pull request title like `[MNG-XXX] SUMMARY`, where you replace `MNG-XXX` and `SUMMARY` with the appropriate JIRA issue. Best practice is to use the JIRA issue title in the pull request title and in the first line of the commit message. - [ ] Write a pull request description that is detailed enough to understand what the pull request does, how, and why. - [ ] Run `mvn clean verify` to make sure basic checks pass. A more thorough check will be performed on your pull request automatically. - [ ] You have run the [Core IT][core-its] successfully. If your pull request is about ~20 lines of code you don't need to sign an [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure please ask on the developers list. To make clear that you license your contribution under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) you have to acknowledge this by using the following check-box. - [ ] I hereby declare this contribution to be licenced under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) - [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf). [core-its]: https://maven.apache.org/core-its/core-it-suite/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-mvnd] gnodet merged pull request #700: SimpleAppender omits stacktraces (fixes #696)
gnodet merged PR #700: URL: https://github.com/apache/maven-mvnd/pull/700 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-mvnd] gnodet commented on issue #701: mvndaemon 0.8.1 not at Chocolatey repo
gnodet commented on issue #701: URL: https://github.com/apache/maven-mvnd/issues/701#issuecomment-1265159810 Chocolatey does not automatically upgrade its packages, so we need a step in the release process to actually build/upload the chocolatey package. Ideally, a PR that would add something to the [publish script](https://github.com/apache/maven-mvnd/blob/master/build/release-publish.sh#L35). You may ping the package maintainers for help at https://community.chocolatey.org/packages/mvndaemon#discussion -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-mvnd] gnodet closed issue #696: SimpleAppender omits stacktraces
gnodet closed issue #696: SimpleAppender omits stacktraces URL: https://github.com/apache/maven-mvnd/issues/696 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-ear-plugin] dependabot[bot] opened a new pull request, #72: Bump maven-archiver from 3.5.1 to 3.6.0
dependabot[bot] opened a new pull request, #72: URL: https://github.com/apache/maven-ear-plugin/pull/72 Bumps [maven-archiver](https://github.com/apache/maven-archiver) from 3.5.1 to 3.6.0. Commits https://github.com/apache/maven-archiver/commit/66780f233e9ab3fdee660103222ce0947cf0b379";>66780f2 [maven-release-plugin] prepare release maven-archiver-3.6.0 https://github.com/apache/maven-archiver/commit/2ceaefdc7050b12949e8a200c33c4bbc7fa1b213";>2ceaefd [MSHARED-1088] Update Plexus IO 3.4.0 and Plexus Archiver 4.4.0 (https://github-redirect.dependabot.com/apache/maven-archiver/issues/25";>#25) https://github.com/apache/maven-archiver/commit/03153b544edebeed2d11d8b7a135337394d97205";>03153b5 [MSHARED-1067] Improve Reproducible Builds methods https://github.com/apache/maven-archiver/commit/cd79d3959afce50e90b3bcc5cd7d7b88aee98df6";>cd79d39 [MSHARED-1066] Upgrade Plexus Archiver to 4.3.0 https://github.com/apache/maven-archiver/commit/6f74e5e363191337b7984988d861efb0a3c4b304";>6f74e5e [MSHARED-1082] - Update Plexus IO to 3.3.1 https://github.com/apache/maven-archiver/commit/96859f234edcefcecb77c1482d99d7b0b4f5e1ef";>96859f2 [MSHARED-1081] Drop m-shared-utils (https://github-redirect.dependabot.com/apache/maven-archiver/issues/23";>#23) https://github.com/apache/maven-archiver/commit/922e510bdb940689cf666e22771eb4c516cb8c04";>922e510 ignore more... https://github.com/apache/maven-archiver/commit/ea2396bda35a8f7c0c958691bfebf0561f9d464b";>ea2396b [MSHARED-1003] Require Maven 3.2.5+ https://github.com/apache/maven-archiver/commit/c9d80f54ea9b21b2c7818d9f0895a43c6cb3acf4";>c9d80f5 [MSHARED-991] small code cleanup and javadoc:fix https://github.com/apache/maven-archiver/commit/7769e4e00770918a4f0fca5c0be53ea689db8fb3";>7769e4e Bump junit to 5.8.3 Additional commits viewable in https://github.com/apache/maven-archiver/compare/maven-archiver-3.5.1...maven-archiver-3.6.0";>compare view [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] raphw commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265206947 The problem seems to be that the distribution-only script does not propagate the power shell error level. Not sure how to solve this yet, the script is rather cryptic, but I am still trying to figure it out. If you have a pointer, please let me know! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613172#comment-17613172 ] ASF GitHub Bot commented on MWRAPPER-75: raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265206947 The problem seems to be that the distribution-only script does not propagate the power shell error level. Not sure how to solve this yet, the script is rather cryptic, but I am still trying to figure it out. If you have a pointer, please let me know! > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-compiler-plugin] laeubi commented on a diff in pull request #151: Move away from legacy maven-compat
laeubi commented on code in PR #151:
URL:
https://github.com/apache/maven-compiler-plugin/pull/151#discussion_r985641086
##
src/main/java/org/apache/maven/plugin/compiler/AbstractCompilerMojo.java:
##
@@ -1841,29 +1838,36 @@ private List resolveProcessorPathEntries()
ArtifactHandler handler =
artifactHandlerManager.getArtifactHandler( coord.getType() );
Artifact artifact = new DefaultArtifact(
- coord.getGroupId(),
- coord.getArtifactId(),
- VersionRange.createFromVersionSpec( coord.getVersion() ),
- Artifact.SCOPE_RUNTIME,
- coord.getType(),
- coord.getClassifier(),
- handler,
- false );
-
-ArtifactResolutionRequest request = new
ArtifactResolutionRequest()
-.setArtifact( artifact )
-.setResolveRoot( true )
-.setResolveTransitively( true )
-.setLocalRepository(
session.getLocalRepository() )
-.setRemoteRepositories(
project.getRemoteArtifactRepositories() );
-
-ArtifactResolutionResult resolutionResult =
repositorySystem.resolve( request );
-
-resolutionErrorHandler.throwErrors( request, resolutionResult
);
-
-for ( Artifact resolved : resolutionResult.getArtifacts() )
+coord.getGroupId(),
+coord.getArtifactId(),
+coord.getClassifier(),
+handler.getExtension(),
+coord.getVersion()
+);
+
+CollectRequest collectRequest = new CollectRequest( new
Dependency( artifact, JavaScopes.RUNTIME ),
+project.getRemoteProjectRepositories() );
+DependencyRequest dependencyRequest = new DependencyRequest();
+dependencyRequest.setCollectRequest( collectRequest );
+DependencyResult dependencyResult =
repositorySystem.resolveDependencies(
+session.getRepositorySession(), dependencyRequest );
+
+ArrayList failed = new ArrayList<>();
+for ( ArtifactResult resolved :
dependencyResult.getArtifactResults() )
+{
+if ( resolved.getArtifact() != null &&
resolved.getArtifact().getFile() != null )
+{
+elements.add(
resolved.getArtifact().getFile().getAbsolutePath() );
+}
+else
+{
+failed.add( resolved );
Review Comment:
Can this actually happen or would this not just throw a
`DependencyResolutionException` already?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [maven-wrapper] raphw commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265296342 Had to make some adjustments as its not straight-forward to capture the status code. Should work now, but happy to accept improvement suggestions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] jorsol commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
jorsol commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265309532 > Had to make some adjustments as its not straight-forward to capture the status code. Should work now, but happy to accept improvement suggestions. Don't know anything about powershell, but my improvement suggestion would be to fully rewrite the `.cmd` scripts using pure PowerShell `.ps1`, this might be a completely different issue (https://issues.apache.org/jira/browse/MWRAPPER-78), but this might help to properly handle such scenario. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613177#comment-17613177 ] ASF GitHub Bot commented on MWRAPPER-75: raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265296342 Had to make some adjustments as its not straight-forward to capture the status code. Should work now, but happy to accept improvement suggestions. > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613178#comment-17613178 ] ASF GitHub Bot commented on MWRAPPER-75: jorsol commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265309532 > Had to make some adjustments as its not straight-forward to capture the status code. Should work now, but happy to accept improvement suggestions. Don't know anything about powershell, but my improvement suggestion would be to fully rewrite the `.cmd` scripts using pure PowerShell `.ps1`, this might be a completely different issue (https://issues.apache.org/jira/browse/MWRAPPER-78), but this might help to properly handle such scenario. > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-resolver] caiwei-ebay commented on a diff in pull request #178: [MRESOLVER-7] download poms in parallel
caiwei-ebay commented on code in PR #178:
URL: https://github.com/apache/maven-resolver/pull/178#discussion_r985689590
##
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/collect/bf/BfDependencyCollector.java:
##
@@ -365,6 +477,64 @@ else if ( descriptorResult == DataPool.NO_DESCRIPTOR )
return descriptorResult;
}
+static class ParallelDescriptorResolver
+{
+final ExecutorService executorService;
Review Comment:
Totally agreed. Could refactor the executor part in a separate PR so all of
the download related logic could share.
Another issue you've pointed out is fixed. Thanks for the review. Please let
me know if anything else I can help.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[jira] [Commented] (MRESOLVER-7) Download dependency POMs in parallel
[
https://issues.apache.org/jira/browse/MRESOLVER-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613181#comment-17613181
]
ASF GitHub Bot commented on MRESOLVER-7:
caiwei-ebay commented on code in PR #178:
URL: https://github.com/apache/maven-resolver/pull/178#discussion_r985689590
##
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/collect/bf/BfDependencyCollector.java:
##
@@ -365,6 +477,64 @@ else if ( descriptorResult == DataPool.NO_DESCRIPTOR )
return descriptorResult;
}
+static class ParallelDescriptorResolver
+{
+final ExecutorService executorService;
Review Comment:
Totally agreed. Could refactor the executor part in a separate PR so all of
the download related logic could share.
Another issue you've pointed out is fixed. Thanks for the review. Please let
me know if anything else I can help.
> Download dependency POMs in parallel
>
>
> Key: MRESOLVER-7
> URL: https://issues.apache.org/jira/browse/MRESOLVER-7
> Project: Maven Resolver
> Issue Type: Improvement
> Components: Resolver
>Affects Versions: Aether 1.0.2
>Reporter: Harald Wellmann
>Assignee: Tamás Cservenák
>Priority: Major
> Fix For: resolver-next
>
> Attachments: resolve_deps.png, resolver.log
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> h3. Background
> When building a project with dependencies not yet available in the local
> repository, I noticed that Maven 3.3.9/Aether 1.0.2 first downloads the
> dependency POMs _sequentially_ and then proceeds downloading the dependency
> JARs with up to 5 threads _in parallel_.
> Due to this, when first building a project with a large number of
> dependencies, downloading a large number of small POMs may take a lot longer
> than downloading the much larger JARs, or even longer than building the
> project itself, especially when a repository manager is used which increases
> the download latency.
> h3. Enhancement
> Download POMs of (transitive) dependencies in parallel to significantly speed
> up initial builds of large projects.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[GitHub] [maven-mvnd] gnodet merged pull request #702: Fix maven extensions' parent classloader (fixes #690)
gnodet merged PR #702: URL: https://github.com/apache/maven-mvnd/pull/702 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-mvnd] gnodet closed issue #690: Maven extensions have a wrong parent classloader
gnodet closed issue #690: Maven extensions have a wrong parent classloader URL: https://github.com/apache/maven-mvnd/issues/690 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] raphw commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265470684 Generally, I agree. Currently, the command script parses itself, extracts the PowerShell script from its own file and executes that, reads the output of it, and then jumps to the end of the file. That's certainly not a very intuitive solution. I do however see such a rewrite as beyond of the scope of this ticket, but I'd appreciate such a rewrite. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-mvnd] oehme commented on issue #696: SimpleAppender omits stacktraces
oehme commented on issue #696: URL: https://github.com/apache/maven-mvnd/issues/696#issuecomment-1265492989 Thanks for fixing this so quickly! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613188#comment-17613188 ] ASF GitHub Bot commented on MWRAPPER-75: raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265470684 Generally, I agree. Currently, the command script parses itself, extracts the PowerShell script from its own file and executes that, reads the output of it, and then jumps to the end of the file. That's certainly not a very intuitive solution. I do however see such a rewrite as beyond of the scope of this ticket, but I'd appreciate such a rewrite. > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-shade-plugin] dependabot[bot] commented on pull request #155: Bump slf4j.version from 1.7.32 to 2.0.3
dependabot[bot] commented on PR #155: URL: https://github.com/apache/maven-shade-plugin/pull/155#issuecomment-1265665216 OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an [`ignore` condition](https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#ignore) with the desired `update_types` to your config file. If you change your mind, just re-open this PR and I'll resolve any conflicts on it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-shade-plugin] slawekjaranowski closed pull request #155: Bump slf4j.version from 1.7.32 to 2.0.3
slawekjaranowski closed pull request #155: Bump slf4j.version from 1.7.32 to 2.0.3 URL: https://github.com/apache/maven-shade-plugin/pull/155 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] slawekjaranowski commented on a diff in pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
slawekjaranowski commented on code in PR #58:
URL: https://github.com/apache/maven-wrapper/pull/58#discussion_r985951900
##
maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java:
##
@@ -87,6 +91,14 @@ public Path createDist( WrapperConfiguration configuration )
downloaded = Files.exists( localZipFile );
}
+if ( verifyDistributionSha256Sum )
+{
+verifier.verify( localZipFile,
+"distributionSha256Sum",
+Verifier.SHA_256_ALGORITHM,
+configuration.getDistributionSha256Sum() );
+}
+
Review Comment:
I would like to execute this block only when new file is downloaded, now we
will calculate checksum on every Maven execute.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [maven] michael-o commented on pull request #808: Replace Properties with Map in the v4 api
michael-o commented on PR #808: URL: https://github.com/apache/maven/pull/808#issuecomment-1265726207 Are we sure that String-based properties are sufficient? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-resolver] michael-o commented on pull request #199: [MRESOLVER-269] [MRESOLVER-275] Trusted checksums source and more compact format backed source
michael-o commented on PR #199: URL: https://github.com/apache/maven-resolver/pull/199#issuecomment-1265735368 > > Yet another question: It is worthwhile to enable it by default and add checksums on the fly when they are present? > > This could be similar as "record" functionality is for remote repository filter feature. Yes, it could be possible, but unsure is it worth it: the whole idea of this is to get checksums for _other trusted source_ than remote... ОК, let's put this aside. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[
https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613197#comment-17613197
]
ASF GitHub Bot commented on MWRAPPER-75:
slawekjaranowski commented on code in PR #58:
URL: https://github.com/apache/maven-wrapper/pull/58#discussion_r985951900
##
maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java:
##
@@ -87,6 +91,14 @@ public Path createDist( WrapperConfiguration configuration )
downloaded = Files.exists( localZipFile );
}
+if ( verifyDistributionSha256Sum )
+{
+verifier.verify( localZipFile,
+"distributionSha256Sum",
+Verifier.SHA_256_ALGORITHM,
+configuration.getDistributionSha256Sum() );
+}
+
Review Comment:
I would like to execute this block only when new file is downloaded, now we
will calculate checksum on every Maven execute.
> Allow for sha256 checksum verification of downloaded artifacts.
> ---
>
> Key: MWRAPPER-75
> URL: https://issues.apache.org/jira/browse/MWRAPPER-75
> Project: Maven Wrapper
> Issue Type: Improvement
> Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper
> Scripts
>Reporter: Rafael Winterhalter
>Priority: Normal
> Fix For: 3.2.0
>
>
> Maven Wrapper is downloading binary artifacts that are later executed. To
> prevent from an attack where a vulnerable repository could distribute
> malicious Maven (wrapper) artifacts, the downloaded artifacts should be
> verified against a secure checksum. If the expected checksum does not match,
> execution could be aborted before the potentially compromised artifact is
> executed.
> In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still
> impossible to replicate with a corrupted binary.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (MRESOLVER-269) Allow more compact storage of provided checksums
[ https://issues.apache.org/jira/browse/MRESOLVER-269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613200#comment-17613200 ] ASF GitHub Bot commented on MRESOLVER-269: -- michael-o commented on PR #199: URL: https://github.com/apache/maven-resolver/pull/199#issuecomment-1265735368 > > Yet another question: It is worthwhile to enable it by default and add checksums on the fly when they are present? > > This could be similar as "record" functionality is for remote repository filter feature. Yes, it could be possible, but unsure is it worth it: the whole idea of this is to get checksums for _other trusted source_ than remote... ОК, let's put this aside. > Allow more compact storage of provided checksums > > > Key: MRESOLVER-269 > URL: https://issues.apache.org/jira/browse/MRESOLVER-269 > Project: Maven Resolver > Issue Type: Improvement > Components: Resolver >Reporter: Rafael Winterhalter >Assignee: Tamás Cservenák >Priority: Major > Fix For: resolver-next > > > While the repository layout makes sense for storage outside of a project, it > would be more convenient to store checksums in a single file (per algorithm) > when keeping checksums along when storing these checksums within a project. > This makes the storage easier to version control and avoids the overhead of > storing a lot of files in version control what often creates some overhead. > Ideally, Maven could support such files out of the box by shipping a provider > for such files. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-wrapper] raphw commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265742206 @slawekjaranowski As for the "validation on download only": The problem with this approach is that it cannot be tested as normally, the distribution will already be downloaded from another build. If this other build did not validate a checksum, the corrupted version is now shared. Also, I am not sure if this is such a good idea from a procedural point of view, if the download succeeds but the validation fails; if the file cannot be deleted afterwards, the corrupted version will continue to exist at the target location. I have reverted the validation to be executed only during downloads. Also, the SHA-256 computation is not overly expensive, so I do not think this is an actual problem. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-resolver] michael-o commented on a diff in pull request #199: [MRESOLVER-269] [MRESOLVER-275] Trusted checksums source and more compact format backed source
michael-o commented on code in PR #199:
URL: https://github.com/apache/maven-resolver/pull/199#discussion_r986017262
##
maven-resolver-impl/src/main/java/org/eclipse/aether/internal/impl/checksum/SparseFileTrustedChecksumsSource.java:
##
@@ -0,0 +1,125 @@
+package org.eclipse.aether.internal.impl.checksum;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.eclipse.aether.RepositorySystemSession;
+import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.internal.impl.LocalPathComposer;
+import org.eclipse.aether.repository.ArtifactRepository;
+import org.eclipse.aether.spi.connector.checksum.ChecksumAlgorithmFactory;
+import org.eclipse.aether.spi.io.FileProcessor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import static java.util.Objects.requireNonNull;
+
+/**
+ * Sparse file {@link FileTrustedChecksumsSourceSupport} implementation that
use specified directory as base
+ * directory, where it expects artifacts checksums on standard Maven2 "local"
layout. This implementation uses Artifact
+ * coordinates solely to form path from basedir, pretty much as Maven local
repository does.
+ *
+ * The source may be configured to be "origin aware", in that case it will
factor in origin repository ID as well into
+ * base directory name (for example ".checksums/central/...").
Review Comment:
Can you rephrase your answer?! I frankly do not understand whether
everything under `.checksums/` can or cannot behave like with LRM treewise.
This should also make `.originAware` obsolete.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [maven-ear-plugin] slawekjaranowski merged pull request #71: Upgrade Maven Verifier to 2.0.0-M1
slawekjaranowski merged PR #71: URL: https://github.com/apache/maven-ear-plugin/pull/71 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] slawekjaranowski merged pull request #55: [MSHARED-1146] Deprecate multivariant constructors for removal
slawekjaranowski merged PR #55: URL: https://github.com/apache/maven-verifier/pull/55 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] slawekjaranowski commented on pull request #55: [MSHARED-1146] Deprecate multivariant constructors for removal
slawekjaranowski commented on PR #55: URL: https://github.com/apache/maven-verifier/pull/55#issuecomment-1265807749 @adekzs thanks -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-wrapper] slawekjaranowski commented on pull request #58: [MWRAPPER-75] Allow for sha256 checksum verification of downloaded artifacts.
slawekjaranowski commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265822433 Ok, even if local distribution will be corrupted after first download and verification - wrapper will not use it if has already unpacked version unless alwaysUnpack is true. What do you think to verify before unpacking? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] asfgit merged pull request #53: [MSHARED-1139] Calculate baseurl by means of Path and URI in Verifier…
asfgit merged PR #53: URL: https://github.com/apache/maven-verifier/pull/53 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-resolver] cstamas merged pull request #199: [MRESOLVER-269] [MRESOLVER-275] Trusted checksums source and more compact format backed source
cstamas merged PR #199: URL: https://github.com/apache/maven-resolver/pull/199 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MWRAPPER-75) Allow for sha256 checksum verification of downloaded artifacts.
[ https://issues.apache.org/jira/browse/MWRAPPER-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613201#comment-17613201 ] ASF GitHub Bot commented on MWRAPPER-75: raphw commented on PR #58: URL: https://github.com/apache/maven-wrapper/pull/58#issuecomment-1265742206 @slawekjaranowski As for the "validation on download only": The problem with this approach is that it cannot be tested as normally, the distribution will already be downloaded from another build. If this other build did not validate a checksum, the corrupted version is now shared. Also, I am not sure if this is such a good idea from a procedural point of view, if the download succeeds but the validation fails; if the file cannot be deleted afterwards, the corrupted version will continue to exist at the target location. I have reverted the validation to be executed only during downloads. Also, the SHA-256 computation is not overly expensive, so I do not think this is an actual problem. > Allow for sha256 checksum verification of downloaded artifacts. > --- > > Key: MWRAPPER-75 > URL: https://issues.apache.org/jira/browse/MWRAPPER-75 > Project: Maven Wrapper > Issue Type: Improvement > Components: Maven Wrapper Jar, Maven Wrapper Plugin, Maven Wrapper > Scripts >Reporter: Rafael Winterhalter >Priority: Normal > Fix For: 3.2.0 > > > Maven Wrapper is downloading binary artifacts that are later executed. To > prevent from an attack where a vulnerable repository could distribute > malicious Maven (wrapper) artifacts, the downloaded artifacts should be > verified against a secure checksum. If the expected checksum does not match, > execution could be aborted before the potentially compromised artifact is > executed. > In my PR, i chose SHA-256 as it is cheaper to compute than SHA-512 but still > impossible to replicate with a corrupted binary. -- This message was sent by Atlassian Jira (v8.20.10#820010)
