[jira] Commented: (MEV-649) log4j 1.2.15 points to nonfuctional maven-repository.dev.java.net packages breaking whole build

[Dennis Lundberg (JIRA)]

    [ 
http://jira.codehaus.org/browse/MEV-649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=209851#action_209851
 ] 

Dennis Lundberg commented on MEV-649:
-------------------------------------

This has already been fixed in
https://issues.apache.org/bugzilla/show_bug.cgi?id=43304

> log4j 1.2.15 points to nonfuctional maven-repository.dev.java.net packages 
> breaking whole build
> -----------------------------------------------------------------------------------------------
>
>                 Key: MEV-649
>                 URL: http://jira.codehaus.org/browse/MEV-649
>             Project: Maven Evangelism
>          Issue Type: Bug
>            Reporter: Jan Uhlir
>            Assignee: Carlos Sanchez
>
> Log4j 2.1.15 dependency from central repository has dependencies linked to 
> https://maven-repository.dev.java.net/nonav/repository -  jmxri, jmxtools and 
> java mail (and others?). These denpendencies are broken or the whole external 
> repository is unaccesible by now.
> Is it even permitted to have "external" dependency for a package in central 
> repository? 
> I found it hard to find how to disable a repository (block a repository) so I 
> am using this opportunity for a micro how to for unlucky ones like me.
> Troubled dependency definition:
> <dependency>
>       <groupId>log4j</groupId>
>       <artifactId>log4j</artifactId>
>       <version>1.2.15</version>
> </dependency>
> Error log (shortened) ----------------------
> [INFO] Scanning for projects...
> ...
> [INFO] Copying 1 resource
> Downloading: 
> https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
> Downloading: 
> https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
> 353/353b
> 353b downloaded  (jmxri-1.2.1.jar)
> 357/357b
> 357b downloaded  (jmxtools-1.2.1.jar)
> [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = 
> 'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - RETRYING
> Downloading: 
> https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
> 353/353b
> 353b downloaded  (jmxri-1.2.1.jar)
> [WARNING] [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local 
> = 'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - IGNORING
> *** CHECKSUM FAILED - Checksum failed on download: local = 
> '9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - RETRYING
> Downloading: 
> https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
> 357/357b
> 357b downloaded  (jmxtools-1.2.1.jar)
> [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = 
> '9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - IGNORING
> ...
> [INFO] Compilation failure
> ...
> error: error reading 
> /opt/javalibs/com/sun/jdmk/jmxtools/1.2.1/jmxtools-1.2.1.jar; error in 
> opening zip file
> error: error reading /opt/javalibs/com/sun/jmx/jmxri/1.2.1/jmxri-1.2.1.jar; 
> error in opening zip file
> Solution (1) - Disable repository (settings.xml).
> Note, it is much more tricky that it seems to be! It gave me hard time before 
> I found out. Documentation should be improved here.
> 1) Tricky, you have to do it for releases and snapshots. There is no 
> repository wide disabling option.
> 2) You have to provide not just same (failing) repository URL but more 
> importantly the same repository ID as it is in ill referencig POM (log4j 
> 2.1.15 in our case)
> 3) Blacklisting repository is something completely different then disabling. 
> Not usable in this case (?). It is not ad hoc settable by user anyway
> OK, here is the code: 
> <profile>
>       <id>default</id>
>       ...
>       <repositories>
>               <repository>
>                       <id>java.net</id>
>                       <!-- IMPORTANT!!! you have to use same ID as in 
> affected POM otherwise it does not work -->
>                       
> <url>https://maven-repository.dev.java.net/nonav/repository</url>
>                       <releases>
>                               <enabled>false</enabled>
>                       </releases>
>                       <snapshots>
>                               <enabled>false</enabled>
>                       </snapshots>
>               </repository>
>       </repositories>
> </profile>
> Solution (2) - exclude the "external" sub-dependencies of log4j 2.1.15, like  
> jmxri, jmxtools and java mail. And perhaps others. It takes more time to 
> figure out what else "external".  
> Solution (3) - the best one. Use version log4j 2.1.14 instead. It seems to be 
> OK.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira