I'm not worried about attempt to download: the issue you found proves that the value of the mirror url blocks anything, even if not really the ideal way
but you're right that it's hard to understand from a user perspective... I just managed to fix the issue: https://github.com/apache/maven/commit/d295dc362fe7d7b189b4976a5742a17362eb51a1 perhaps we should respin 3.8.1 Regards, Hervé Le mercredi 24 mars 2021, 20:51:10 CET Maarten Mulders a écrit : > A 0-vote from my side. As far as I can tell, non-TLS repos are indeed > blocked. That is the main reason for cutting this release, and it works, > which is good. > > But if I understood Hervé correctly, the message that appears when Maven > attempts download of an artifact over a non-TLS connection differs > depending on which component attempted the download. This has two > consequences: > > 1. The message is sometimes pretty clear, but sometimes rather vague. An > example of the latter one: "Checksum validation failed, expected Lorem > but is a0a3234b13da255645808f53efb387d26ae441db". One must be quite > clever to deduce that Maven attempted to download something over HTTP. > > 2. I am worried that we may have missed a component that also attempts > to download artifacts, and still allows non-HTTP connections. > > > Maybe I didn't understand correctly - I actually hope so. In that case, > please explain me where my understanding is wrong. > > Thanks, > > > Maarten > > On March 24th, 2021 at 18:54, Gary Gregory wrote: > > Whenever I have to explain to colleagues that Maven "burns" version > > numbers > > when a release candidate fails or some other obtuse reason, they are just > > as baffled as I am. In the end it does not matter it's just bizarre. > > > > Gary > > > > On Tue, Mar 23, 2021, 20:58 Olivier Lamy <[email protected]> wrote: > >> +0 > >> Same reason as Ralph, the versioning seems weird to me. > >> I don't understand the reasoning of version number. Our version number > >> doesn't have to be managed by some tweet or google links. > >> > >> > >> On Wed, 24 Mar 2021 at 09:17, Ralph Goers <[email protected]> > >> > >> wrote: > >>> If I were a user and expected the feature to be in 3.7.0 then I would > >>> certainly also expect it in 3.8.0. The only ways to avoid this are a) > >> > >> stay > >> > >>> on 3.6.x.x until the feature is available, b) specifically say the > >> > >> promised > >> > >>> features aren’t available yet. > >>> > >>> That said I’m +0 on the version numbering. > >>> > >>> Ralph > >>> > >>>> On Mar 22, 2021, at 3:09 PM, Robert Scholte <[email protected]> > >>> > >>> wrote: > >>>> There were enough tweets and conference talks were I demonstrated the > >>> > >>> idea behind build/consumer. > >>> > >>>> Of course the audience wanted to hear a version, so the best possible > >>> > >>> answer was "most likely 3.7.0" > >>> > >>>> First Google hit: Maven 3.7 to Include Default Wrapper - InfoQ[1] and > >>> > >>> you can find much more. > >>> > >>>> Several PMC members discussed about what would be the proper value, the > >>> > >>> result was in the end 3.8.0. > >>> > >>>> Most important: it is beyond 3.6.3 and before 4. > >>>> > >>>> Robert > >>>> > >>>> [1] https://www.infoq.com/news/2020/04/maven-wrapper/ > >>>> > >>>> On 22-3-2021 21:14:10, Elliotte Rusty Harold <[email protected]> > >> > >> wrote: > >>>> I'm a weak -1 on this, solely because I don't find the reasoning for > >>>> not calling this 3.7.0 to be compelling. "Apache Maven 3.7.0 would be > >>>> the first release where you could optionally activate the > >>>> build/consumer feature. This version of this release has been renamed > >>>> to 4.0.0. Reusing 3.7.0 might lead to confusion, hence we picked the > >>>> next available minor version." > >>>> > >>>> Are we sure? I certainly didn't expect 3.7.0 to be the first release > >>>> where you could optionally activate the build/consumer feature. I > >>>> can't say I expected anything in particular for 3.7.0. Did Maven ever > >>>> promise there would be a 3.7.0 with this feature? > >>>> > >>>> If it were renamed 3.7.0 I'd be at +1. > >>>> > >>>> On Mon, Mar 22, 2021 at 7:40 PM Robert Scholte wrote: > >>>>> Hi, > >>>>> > >>>>> For the details about this release, please read > >>> > >>> https://maven.apache.org/docs/3.8.0/release-notes.html > >>> > >>>>> Also please provide feedback on the release notes. (as you know, these > >>> > >>> are published separately from the release, so it doesn't have to block > >> > >> the > >> > >>> release itself) > >>> > >>>>> We solved 5 issues: > >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922 > >> &version=12350003&styleName=Text>> > >>>>> There are still a couple of issues left in JIRA: > >> https://issues.apache.org/jira/issues/?jql=project%20%3D%2012316922%20AND > >> %20resolution%20%3D%20Unresolved%20ORDER%20BY%20key%20DESC%2C%20priority% > >> 20DESC>> > >>>>> Staging repo: > >>>>> https://repository.apache.org/content/repositories/maven-1633/ > >> > >> https://dist.apache.org/repos/dist/release/maven/maven-3/3.8.0/binaries/a > >> pache-maven-3.8.0-bin.zip > >> > >> > >> https://dist.apache.org/repos/dist/release/maven/maven-3/3.8.0/source/apa > >> che-maven-3.8.0-src.zip>> > >>>>> Source release checksum(s): > >> > >>>>> apache-maven-3.8.0-bin.zip sha512: > >> b56da9a0efa45e084e4882b795787fc7b61970d19835635b2db099b91a9854f14e3776a01 > >> d569e3f7af9db946a05af91abbfad41cdc5ac09e90df25077dec01e>> > >>>>> apache-maven-3.8.0-src.zip sha512: > >> 51a1570894e8fb1ef52cb19ce472866745ccae2720e45304edd3cabc212cdf105937c7650 > >> 2558fe87995aea81c41402d7f581cc8e9393af234b64696e9a45893>> > >>>>> Staging site: > >>>>> https://maven.apache.org/ref/3-LATEST/ > >> > >>>>> Guide to testing staged releases: > >> https://maven.apache.org/guides/development/guide-testing-releases.html > >> > >>>>> Vote open for at least 72 hours. > >>>>> > >>>>> [ ] +1 > >>>>> [ ] +0 > >>>>> [ ] -1 > >>>> > >>>> -- > >>>> Elliotte Rusty Harold > >>>> [email protected] > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: [email protected] > >>>> For additional commands, e-mail: [email protected] > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [email protected] > >>> For additional commands, e-mail: [email protected] > >> > >> -- > >> Olivier Lamy > >> http://twitter.com/olamy | http://linkedin.com/in/olamy > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
