[
https://issues.apache.org/jira/browse/MNG-6397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17186929#comment-17186929
]
brian clozel commented on MNG-6397:
-----------------------------------
This issue bothers me in many ways.
??Spring Boot takes the _non-standard_ approach of forcing you to reference
their parent POM _instead of_ simply just referencing Spring Boot as a
dependency in your project POM. As a result, the dependency graph is hi-jacked
by Spring Boot because the graph root does not hinge on your project POM as the
root of the graph, like it would in a normal Maven project, instead your
project POM just becomes a child in the puppet-mastery of the Spring Boot
parent POM, and you, as a developer, are no longer in control of the build in
its entirety – and this scenario of "loss of control" has exposed a certain
edge-case bug in *how* _all_ of the dependencies of the entire dependency graph
get downloaded.??
First, there are many ways to use Spring Boot: you can [choose a build
tool|https://docs.spring.io/spring-boot/docs/current/reference/html/build-tool-plugins.html#build-tool-plugins],
or just import {{spring-boot-dependencies}} as a BOM and take full control of
your POM hierarchy. We do recommend importing the Spring Boot parent (and
that's what we do on start.spring.io), because we think this is the best
approach to support our users on Maven. How is this approach "non standard" and
what is the standard you're referring to? Of course Spring libraries can be
consumed as regular dependencies, but in this case Spring Boot does much more
than a library.
Also, why people here would assume that Spring Boot is forcing those
repositories declarations on purpose? Do Spring projects have an history of
being bad Maven citizens?
A quick look on search.maven.org shows that Spring Boot {{2.0.0.RELEASE}} is
*the only version declaring those repositories in our dependencies module*.
Another quick search in the Spring Boot tracker shows that [we noticed that
problem ourselves and this was quickly addressed in
{{2.0.1.RELEASE}}|https://github.com/spring-projects/spring-boot/issues/12378],
released a month after {{2.0.0.RELEASE}}.
Finally, why are Spring developers being pulled here for a one-off, 2 year-old
problem on a POM (fixed a month after it appeared) on a Spring Boot generation
that is now EOL? The best workaround here is to upgrade to {{2.0.1.RELEASE}} or
better, upgrade to a version that is suported officially by the Spring team.
If there are any issues with POMs Spring Boot is publishing, [please create an
issue on our tracker|https://github.com/spring-projects/spring-boot/issues].
> Maven Transitive Dependency Resolution Does Not Respect Repository Definition
> in pom.xml
> ----------------------------------------------------------------------------------------
>
> Key: MNG-6397
> URL: https://issues.apache.org/jira/browse/MNG-6397
> Project: Maven
> Issue Type: New Feature
> Components: Artifacts and Repositories, Dependencies, POM
> Affects Versions: 3.5.0, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.3
> Environment: Apache Maven 3.5.0
> (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T15:39:06-04:00)
> Maven home: /usr/local/share/maven
> Java version: 1.8.0_161, vendor: Oracle Corporation
> Java home:
> /Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "10.10.5", arch: "x86_64", family: "mac"
> Reporter: Alan Czajkowski
> Priority: Critical
> Labels: maven
>
> _*Note:* I am trying to do a build behind a firewall which means I cannot
> access the Internet, I can only access my internal Maven repository inside my
> network, so:_
> - _grabbing artifacts from https://artifacts.example.com/repository/maven/
> works fine_
> - _grabbing artifacts from anywhere else fails due to firewall restrictions_
> Let's begin:
> My {{pom.xml}} has the following:
> {code:xml}
> ...
> <dependencies>
> ...
> <dependency>
> <groupId>org.springframework.boot</groupId>
> <artifactId>spring-boot-starter-web</artifactId>
> <version>2.0.0.RELEASE</version>
> </dependency>
> ...
> </dependencies>
> ...
> <repositories>
> ...
> <repository>
> <id>central</id>
> <name>Public</name>
> <url>https://artifacts.example.com/repository/maven/</url>
> <releases>
> <enabled>true</enabled>
> </releases>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> </repository>
> ...
> </repositories>
> ...
> {code}
> The {{dependency:tree}} for the {{spring-boot-starter-web}} is as follows:
> {code:java}
> +- org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE:compile
> | +-
> org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile
> | | \-
> com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile
> | +-
> org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.0.RELEASE:compile
> | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.28:compile
> | +- org.hibernate.validator:hibernate-validator:jar:6.0.7.Final:compile
> | | +- javax.validation:validation-api:jar:2.0.1.Final:compile
> | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
> | | \- com.fasterxml:classmate:jar:1.3.1:compile
> | \- org.springframework:spring-web:jar:5.0.4.RELEASE:compile
> {code}
> How is it that the build fails as such:
> {code:java}
> ...
> Downloading:
> https://repo.spring.io/milestone/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.spring.io/snapshot/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://dl.bintray.com/rabbitmq/maven-milestones/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.maven.apache.org/maven2/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> ...
> [ERROR] Failed to execute goal on project maven-multi-module-demo-backend:
> Could not resolve dependencies for project
> com.example.pipe:maven-multi-module-demo-backend:war:1.0.0-SNAPSHOT: Failed
> to collect dependencies at
> org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE ->
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Failed to read
> artifact descriptor for
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Could not
> transfer artifact org.jboss.shrinkwrap:shrinkwrap-bom:pom:1.2.3 from/to
> spring-milestone (https://repo.spring.io/milestone): Connection reset ->
> [Help 1]
> ...
> {code}
> when I did not even reference this repo {{spring-milestone
> ([https://repo.spring.io/milestone])}} anywhere in my {{pom.xml}}?
> When you go down the Spring Boot rabbit hole (go into the
> {{spring-boot-starter-web}}'s {{pom.xml}} and then traverse up its parent-pom
> structure a few jumps) you'll eventually get to a parent-pom
> {{spring-boot-dependencies}} with this definition:
> {code:xml}
> ...
> <repositories>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>spring-milestone</id>
> <name>Spring Milestone</name>
> <url>https://repo.spring.io/milestone</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> <id>spring-snapshot</id>
> <name>Spring Snapshot</name>
> <url>https://repo.spring.io/snapshot</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>rabbit-milestone</id>
> <name>Rabbit Milestone</name>
> <url>https://dl.bintray.com/rabbitmq/maven-milestones</url>
> </repository>
> </repositories>
> ...
> {code}
> How is it that the Maven build does _not_ even attempt to reach out to
> [https://artifacts.example.com/repository/maven/] to try to find the missing
> dependency {{shrinkwrap-bom}}? and only reaches out to the above repos only
> and not the one defined in my own {{pom.xml}}?
> *This seems like a transitive dependency resolution bug to me as the Maven
> build does not even make a single attempt at trying to get {{shrinkwrap-bom}}
> from the {{<repository>}} that I have explicitly defined in my {{pom.xml}}.
> The (grand)parents of the {{spring-boot-starter-web}} dependency completely
> hi-jack the repository list that the build pulls from (this type of
> hi-jacking should not be allowed). The {{shrinkwrap-bom}} artifact does exist
> in [https://artifacts.example.com/repository/maven/] and can be fetched no
> problem if it is explicitly defined in my {{pom.xml}} but defining it
> explicitly would be a work-around and I cannot use this work-around in my
> situation.*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
