CVE-2021-26291: Apache Maven: block repositories using http by default

2021-04-23 Thread Brian Fox
Apache Maven may follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Mav

Re: [VOTE] Retire Maven Downloader

2019-06-11 Thread Brian Fox
+1 On Sun, Jun 9, 2019 at 5:32 AM Karl Heinz Marbaise wrote: > > Hi, > > +1 from me. > > Kind regards > Karl Heinz Marbaise > On 07.06.19 15:32, Robert Scholte wrote: > > Hi, > > > > The Apache Maven project consist of about 90 (sub)projects. Due to the > > small number of volunteers and the hug

Deprecating HTTP access to Central

2019-05-06 Thread Brian Fox
Last year, we deprecated old and insecure TLS protocols on Central to make access more secure. This year, we're moving things forward again by deprecating and later removing access to insecure by default HTTP access. Right now this affects less than 20% of the traffic hitting Central. To find out

Re: Maven error during Raspberry to Amazon Echo project.

2019-01-22 Thread Brian Fox
Can you attach your logs as text? Most people aren't going to watch a video to see what you did and the screenshot was not sent through to the mail so there's no way to see what your error was. On Thu, Jan 3, 2019 at 8:35 PM Mikail Eryilmaz wrote: > > > > > Skickades från E-post

Re: Announcing OSSIndex plugins for Apache Maven: Scan your dependencies for known vulnerabilities

2018-07-25 Thread Brian Fox
--mobile > On Jul 25, 2018, at 9:24 PM, Mark Derricutt wrote: > > On 26 Jul 2018, at 12:55, Brian Fox wrote: > > Find the Maven Plugin docs here: > https://sonatype.github.io/ossindex-maven/maven-plugin/ > > This looks awesome! One nit pick tho - the XML plugin def

Announcing OSSIndex plugins for Apache Maven: Scan your dependencies for known vulnerabilities

2018-07-25 Thread Brian Fox
You probably know Sonatype for our work in the Maven community, Nexus Repository Manager, and for hosting Central. You may not know that for the last 7 years we've also been leading the way in solutions that allow developers to innovate faster and be able to improve security, license compliance and

Re: Notice: Java 6 and 7 users: SSL Protocol upgrades coming to Central

2018-06-12 Thread Brian Fox
Bumping this again. Cutover is next week. On Mon, May 21, 2018 at 2:22 PM, Brian Fox wrote: > The march of standards continues unabated. Legacy TLS protocols 1.0 > and 1.1 have varying weaknesses that could lead to a false sense of > security. > > In June, in an effort to rai

Notice: Java 6 and 7 users: SSL Protocol upgrades coming to Central

2018-05-21 Thread Brian Fox
The march of standards continues unabated. Legacy TLS protocols 1.0 and 1.1 have varying weaknesses that could lead to a false sense of security. In June, in an effort to raise security and comply with modern standards, the insecure TLS 1.0 & 1.1 protocols will no longer be supported for SSL conne

Re: Looking for recommendations how to best use Maven in a muti-stagePipeline build to only deploy at the end

2018-03-14 Thread Brian Fox
On Wed, Feb 14, 2018 at 9:31 PM, Eric B wrote: > Bernd, > > Nexus 3.x does not support staging repos b/c they are rewriting the entire > platform to support not just Maven artifacts, but any type of repo-based > artifact. Ex: docker images, npm dependencies, etc... This is true and it's getting

Re: Failure to find artifact in Nexus

2013-09-10 Thread Brian Fox
You still have something wrong with the repositories in your pom or the settings.xml. Making requests to Nexus /releases would generally only be done for _your_ internal components, not for things like http client or the clean plugin. You would normally have requests to .../public instead. I'm

Re: [DISCUSS] On the Maven PMC roles... (was [DISCUSS] Should the Maven PMC be an example of how we want the Maven Community to behave...)

2013-08-05 Thread Brian Fox
rds making it "official" > > Everyone else, > > Time to shout out if you have any issues / suggested improvements on the > content > > - Stephen > > On Friday, 2 August 2013, Stephen Connolly wrote: > >> On 2 August 2013 16:07, Brian Fox > 'cvml', 

Re: [DISCUSS] On the Maven PMC roles... (was [DISCUSS] Should the Maven PMC be an example of how we want the Maven Community to behave...)

2013-08-02 Thread Brian Fox
On Aug 2, 2013, at 12:30 PM, Paul Benedict wrote: > I've stated from the beginning of this thread that it's impossible to > prevent someone from developing outside of Apache. I stand by that still. > That can't be prevented and any attempt will fail since it's not practical. > > If my words today

Re: [DISCUSS] On the Maven PMC roles... (was [DISCUSS] Should the Maven PMC be an example of how we want the Maven Community to behave...)

2013-08-02 Thread Brian Fox
On Fri, Aug 2, 2013 at 12:10 PM, Stephen Connolly wrote: > So anyway, I now have this ultra whizzbang high performance logging API and > I am aware of some deficit in the logging performance of Maven, so I spin > up a private fork (it could be a hidden private fork, or it could be a > public one..

Re: [DISCUSS] On the Maven PMC roles... (was [DISCUSS] Should the Maven PMC be an example of how we want the Maven Community to behave...)

2013-08-02 Thread Brian Fox
I think the bulk of this is pretty good. On the fork section, specifically: " As soon as changes in that fork are identified which should be brought back to the project those changes should be introduced into at least a branch hosted on the Apache Maven source control in order to facilitate the ea

Re: bad request return code from Sonatype doing release:perform

2013-07-29 Thread Brian Fox
Looking at the logs, it appears that you are trying to actually stage the parent, not your project. You don't have permissions to stage the oss parent, hence the error. On Fri, Jul 19, 2013 at 8:25 AM, Richard Sand wrote: > Hi all - trying to get my first plugin released into Maven Central. The >

Re: maven deploy artifacts to Nexus repository

2013-03-25 Thread Brian Fox
SCP to Nexus isn't supported, and writing directly to the storage underneath Nexus isn't really supported either. If the concern is about having a password in the settings.xml, take a look at User Token[1]. Ironically this feature started out with a desire to support SCP but for a number of reasons

Re: My view on the relative merits of different ways to unpack jars into target/classes

2013-03-21 Thread Brian Fox
That's a good post to sum up all the options. On Thu, Mar 21, 2013 at 8:15 AM, Stephen Connolly wrote: > I think mailing lists are not the best way to explain why different > solutions are to be preferred when ranking against what is best for the > Maven ecosystem as a whole. > > So I wrote a blo

Re: Unpacking jars into target/classes

2013-03-20 Thread Brian Fox
I haven't had time lately to follow a lot of the user list threads, but this one got my attention so I read the whole thing last night. Without having any background on Joachim's previous threads, and judging everything only based on this one, I was kind of surprised...not in a good way. If this wa

Re: Maven Central Stats: re Most downloaded Maven plugins?

2013-03-18 Thread Brian Fox
Barrie, the stats for all maven artifacts are available to maven committers by logging in to the https://repository.apache.org instance and clicking on "Central Stats" On Thu, Mar 14, 2013 at 9:06 PM, Barrie Treloar wrote: > http://maven.40175.n5.nabble.com/Unpacking-jars-into-target-classes-td57

Fwd: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4

2013-02-24 Thread Brian Fox
-- Forwarded message -- From: Olivier Lamy Date: Sat, Feb 23, 2013 at 9:59 AM Subject: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4 To: annou...@apache.org, annou...@maven.apache.org Cc: Maven Developers List VE-2013-0253 Apache Maven Severity: Medium Vendor: The Apache Softwar

Re: [ANN] Apache Maven 3.0.5 released

2013-02-24 Thread Brian Fox
Just wanted to bring this to the users list and ensure that those reading the release notes see the security alert for 3.0.4: CVE-2013-0253 Apache Maven Severity: Medium Vendor: The Apache Software Foundation Versions Affected: - Apache Maven 3.0.4 - Apache Maven Wagon 2.1, 2.2, 2.3 Descripti

Re: Dependency resolution kicks in too early

2013-02-11 Thread Brian Fox
You've run into a non-supported edge case. On Mon, Feb 11, 2013 at 4:17 AM, Reinhard Nägele < reinhard.naeg...@mgm-tp.com> wrote: > Hello, > > A couple of years ago I used a plugin execution in the validate phase to > bootstrap jars that were not available on Maven Central as suggested in > [1].

Re: snapshot versions and classpath stored in manifest

2013-01-09 Thread Brian Fox
Are you positive you are using jar plugin version 2.3? On Mon, Jan 7, 2013 at 11:26 AM, Anthony Dahanne wrote: > Hello all, > I am using Maven 3 with Nexus 2. > I am building a cli tool (let's call it cli) , which has dependencies on > some other libraries (let's call them dependencyA and depend

Re: Can not get a jar from maven central

2012-11-05 Thread Brian Fox
N oone has been blacklisted in a while. Can you give us the headers like shown here: $ curl -I http://repo1.maven.org/maven2/org/apache/avalon/framework/avalon-framework-api/4.3.1/avalon-framework-api-4.3.1.jar HTTP/1.1

Re: How to optimize maven dependencies to get better performance?

2012-10-16 Thread Brian Fox
The problem below is because your configuration is inside an execution, which when run from the command line like mvm enforcer:enforce won't be activated. Either bind this plugin to a phase as part of your build, or move the configuration element outside the executions block. On Thu, Oct 11, 2012

Re: Maven/Nexus metadata interaction question

2012-08-25 Thread Brian Fox
On Sat, Aug 25, 2012 at 6:48 AM, Robert Scholte wrote: > > This sounds like https://jira.codehaus.org/browse/MNG-5324 Agree, that looks like the same thing. I tested all different forms of this with Nexus and the metadata was verified to be correct each time. I didn't check with Maven though, I w

Re: Maven/Nexus metadata interaction question

2012-08-24 Thread Brian Fox
On Fri, Aug 24, 2012 at 5:43 PM, David Hoffer wrote: > I can't say the whole problem is with Nexus. I can say that the > requirement in Maven3 to always use timestamped snapshots has not be > addressed in a complete way with tools like Nexus and my beloved IDE > IntelliJ. We have hundreds if not

Re: Maven/Nexus metadata interaction question

2012-08-24 Thread Brian Fox
On Fri, Aug 24, 2012 at 5:27 PM, Laird Nelson wrote: > On Fri, Aug 24, 2012 at 1:52 PM, David Hoffer wrote: > >> We have been having nothing but trouble with Nexus and >> Maven3 with the time-stamped snapshots and all the various metadata >> files that Nexus spits out (which confuse Maven and IDE

Central is now being served from a CDN

2012-07-20 Thread Brian Fox
Just over a year ago we evolved the Central architecture to be globally load balanced with 2 servers in the US and 2 more in the UK. This year, we've gone even futher to increase reliability and delivery performance. We evaluated several options and ultimately settled with Edgecast as the delivery

Re: Maven Enforcer plugin: can I make it be quiet?

2012-07-19 Thread Brian Fox
Which rule spits that out? This seems unusual. On Thu, Jul 19, 2012 at 6:11 PM, Laird Nelson wrote: > The Maven Enforcer plugin version 1.1.1 outputs a ton of information at the > INFO level that seems to me to be repetitive and uninteresting. Here is an > excerpt from a normal run: > > [INFO]

Re: any public nexus repo manager I can use for my project

2012-06-20 Thread Brian Fox
If it's an oss project, then you can use https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide On Wed, Jun 20, 2012 at 11:37 AM, fachhoch wrote: > we dont a local nexus repo mamnager installed , and we are developers > working in remote locations , our project

Re: why is commons-math3 jar missing from sonatype mirror of central?

2012-06-06 Thread Brian Fox
Found the email Russ ;-) Anyway, repository.s.o isn't intended to be a mirror, it's just a proxy used primarily by us for internal use and for oss users building our stuff. http://search.maven.org has replaced the need to use rso's search as well. Regarding why the files aren't in the repository,

Re: How does one mirror a maven repository?

2012-06-06 Thread Brian Fox
Nexus Pro has functionality that would allow you to do mirroring, we have a bunch of customers doing exactly what you ask. On Fri, Jun 1, 2012 at 12:53 PM, Phillip Hellewell wrote: > Hi, > > Our company would like to mirror our Maven repository at a remote > location. Currently we've been using

Re: How to replicate company internal repository?

2012-04-27 Thread Brian Fox
Everything is stored in the sonatype-work/nexus folder. Copy that folder to another machine and you have duplicated your entire instance. On Thu, Apr 26, 2012 at 10:01 PM, hujirong wrote: > The one I am using in my test environment is not professional, but a free > one. I don't see anywhere a "c

Re: How to get access to ALL the data in maven central?

2012-04-10 Thread Brian Fox
Make a request here and I can attach the poms for you: https://issues.sonatype.org/browse/MVNCENTRAL On Tue, Apr 10, 2012 at 1:17 PM, Wayne Fay wrote: > > If you wanted to scrape Maven Central for just the poms then I'd > > contact Sonatype who manage the central repository. > > As Barrie said,

Re: Unable to download plugin from Nexus

2011-11-14 Thread Brian Fox
It looks to me like your settings.xml isn't defining a pluginRepository. On Thu, Nov 10, 2011 at 7:09 AM, brian2011 wrote: > Hi, > > I'm using Maven 2.2.1 and  Nexus 1.7.2. Nexus is configured as an internal > repository manager with a single nexus group to external repository such as > maven cen

Re: Maven central repository

2011-10-14 Thread Brian Fox
A new version of the indexer was released and requested to be rerun over central. That means a new full index was generated, when typically it is just an incremental index. The size of the file and speed of ibiblio seems to be giving some people trouble. But it should sort itself out, besides reset

Re: Forbiden? http://repo1.maven.apache.org/maven2/junit/junit/3.8.2/junit-3.8.2.jar

2011-09-08 Thread Brian Fox
Maybe you're behind a firewall that hasn't adjusted to the new ips? http://www.sonatype.com/people/2011/07/the-central-repository-is-getting-faster-are-you-ready-for-the-new-ips/ On Wed, Aug 31, 2011 at 5:49 PM, Jason Pyeron wrote: > Not sure if this is the right place to ask, but I am getting a

Re: -gs does not apply to the forked maven execution in release:prepare

2011-09-04 Thread Brian Fox
Release forks the build and therefore not all the parameters are passed through. There is a parameter for the plugin though to specify which agurments to pass, I forget what it is, but I'm sure you know how to find it ;-) On Sun, Sep 4, 2011 at 1:48 PM, Benson Margulies wrote: > I was a bit taken

Re: Authorization failed for jboss maven repository

2011-08-30 Thread Brian Fox
> I google'd for "jboss maven repo moved" and found the following blog > post which explains this repo was deprecated over a year ago and was > finally shut down in early June 2011. > http://community.jboss.org/en/build/blog/2011/06/01/blocking-repositoryjbossorgmaven2 My money is on ^^^

Re: how to get the list of artifacts id and group id from maven repository?

2011-08-29 Thread Brian Fox
If this is an external repo: If the repository publishes an index, use that. Otherwise, what you're doing would likely be perceived as scraping and get you banned from remote repositories. If this is an internal repo, then use the maven-indexer to produce an index for you. On Mon, Aug 29, 2011 at

Re: Nexus help

2011-08-23 Thread Brian Fox
It's because Github returns a 404 on your repo: https://raw.github.com/davidhoyt/mvn-repo/master/maven2/snapshots/ and this makes Nexus think the repo isn't available. Disable the Auto blocking and it should work. On Tue, Aug 23, 2011 at 2:28 AM, Hoyt, David wrote: > I'm trying to setup a micro r

Re: com.sun.jersey:jersey-project:1.1.4:pom artifact differs on Maven Central and java.net

2011-08-19 Thread Brian Fox
On Fri, Aug 19, 2011 at 4:35 PM, Thiessen, Todd (Todd) wrote: > Thanks for clarifying. Hopefully we can get some advice here wrt the policies > regarding different artifacts with the same GAV. This is a very rare circumstance. What happened was we merged java.net with Central. Anything that was

Re: com.sun.jersey:jersey-project:1.1.4:pom artifact differs on Maven Central and java.net

2011-08-19 Thread Brian Fox
ther, it's a transitive dependency of > com.sun.jersey.contribs:jersey-spring:1.1.4).  I don't understand why > changing the dependency to a direct one gets Maven to download it from our > central repo, but it does. > > 2.  In pom.xml, specify our Nexus java.net copy a

Re: com.sun.jersey:jersey-project:1.1.4:pom artifact differs on Maven Central and java.net

2011-08-19 Thread Brian Fox
What is the failure that you're seeing here? The changes look appropriate since the contents of maven/1 and maven/2 are now in Central, so removing those repo declarations should have no effect. On Fri, Aug 19, 2011 at 10:18 AM, Blaney, Kyle (Kyle) wrote: > We recently encountered a strange Maven

Re: If its' not one thing it's another

2011-08-04 Thread Brian Fox
It appears like you aren't using groups in Nexus. Your maven shouldn't be telling you it's looking in the jboss repo, it should be looking in your nexus group and nexus deals with the other repos. You would normally do this in your settings with a mirrorOf * -> nexus/content/groups/public for examp

Re: Central IP number changes

2011-08-01 Thread Brian Fox
As of this morning we enabled the global load balancing and users closest to the EU Nameservers will start hitting the UK server automatically. On Fri, Jul 29, 2011 at 12:24 PM, Brian Fox wrote: > We're moving around some switching gear to have faster internet access > for Central.

Central IP number changes

2011-07-29 Thread Brian Fox
We're moving around some switching gear to have faster internet access for Central. Because of this, the ip numbers for the US Central servers will change. This should not affect most users unless your corporate IT has firewall rules locked to the old ips. You can see more details about the change

Re: dependency:copy and transitive dependencies of artifactItems

2011-07-27 Thread Brian Fox
t; to copy the dependencies of another project (not the current one). > > Thanks, > Gili > > > Brian Fox-2 wrote: >> >> It does not support transitivity yet. You can use copy-dependencies and >> combinations of the filters to get the artifacts you need >> &g

Re: Why would "unpack-dependencies" sometimes not do its job?

2011-07-27 Thread Brian Fox
default is: overWriteIfNewer=true overWriteReleases = false overWriteSnapshots=false Setting the releases or snapshots to true will cause it to ignore the if newer check. On Wed, Jul 27, 2011 at 11:13 AM, KARR, DAVID (ATTSI) wrote: >> -Original Message- >> From: Brian Fox

Re: Why would "unpack-dependencies" sometimes not do its job?

2011-07-26 Thread Brian Fox
you can set a flag to tell it to always unpack. I forget the exact param, but it's in the docs. On Tue, Jul 26, 2011 at 5:01 PM, KARR, DAVID (ATTSI) wrote: >> -Original Message- >> From: GALLAGHER, RON (ATTSI) >> Sent: Tuesday, July 26, 2011 12:03 PM >> To: Maven Users List >> Subject: RE

Re: Dependency Plugin behavior changed to copy timestamped snapshot jars

2011-07-15 Thread Brian Fox
If the snapshot was resolved from a repo then it will be timestamped, if it came from the reactor or local repo, then it will be -SNAPSHOT. The plugin calls into the maven resolution logic so this is core maven behavior. In 2.2, resolution from the reactor was introduced for these goals, previousl

Re: Mirrors and repositories

2011-07-08 Thread Brian Fox
> One reason you might do it is to enable a repository to be searched > for snapshots.  By default, Maven's built-in definition of 'central' > only has releases enabled.  Unless you define another repository > somewhere that has snapshots enabled, Maven will never retrieve any > snapshots. This i

Re: Unable to ping Maven Central repository's index location

2011-06-21 Thread Brian Fox
You should always fetch from repo1.maven.org/maven2/.index On Tue, Jun 21, 2011 at 5:50 AM, amaresh mourya wrote: > Hi, > > I am unable to ping [ http://repo2.maven.org.s3.amazonaws.com/.index/ ] > location. Whereas ping to [ http://repo1.maven.org/maven2/.index ] is > successful. > Is the locati

Re: Local repo or central repo

2011-05-24 Thread Brian Fox
local first, then it starts looking in configured repositories (from settings, pom, super-pom) On Tue, May 24, 2011 at 10:45 AM, uday shankar wrote: > Hi, > Where does maven pick the jars from (first) local repo or central repo? > > Regards, > Uday > > -- > View this message in context: > http:/

Re: Bootstraping a repository manager

2011-05-19 Thread Brian Fox
It's also worth mentioning that Nexus Professional's Procurement feature is built for exactly the use case you have. It's meant to have a hard firewall like separation between internal and external artifacts and rules that allow you to approve whitelist/blacklist style, or by wildcard or other runt

Re: central repo?

2011-05-18 Thread Brian Fox
I just wanted to close the loop on this, http://search.maven.org is now updated incrementally in lockstep with the contents of Central. On Fri, May 6, 2011 at 9:53 AM, Brian Fox wrote: > On Fri, May 6, 2011 at 3:54 AM, Nord, James wrote: >> Hi Brian, >> >> "we i

Re: Bootstraping a repository manager

2011-05-18 Thread Brian Fox
You don't need to bootsrap it, just setup a repo like Nexus and let it proxy on demand the things you need. In that case a bootstrap might simply mean run all our builds and/or run mvn dependency:go-offline to resolve everything you need. On Wed, May 18, 2011 at 5:21 PM, Heck, Gus (Patrick) wrote

Re: why I love the maven-dependency plugin

2011-05-18 Thread Brian Fox
On Tue, May 17, 2011 at 3:50 PM, Russ Tremain wrote: > I use the maven-dependency plugin for jar and war packaging. > > It is flexible and non-judgmental. > > This is particularly important when you are converting a large project over > to maven and cannot follow some maven conventions - you may b

Improvements to Central failover: Temporary IP Change to Central on Monday Night

2011-05-09 Thread Brian Fox
In short, we're moving to a clustered IP for the US Central machines to improve the reliability and get automatic failover. We know some users have firewall rules locked to the existing IP, if that's you, pay attention: We're failing over to the backover IP tonight so we can install the clustered

Re: central repo?

2011-05-06 Thread Brian Fox
iving on Central and appearing on Search is minimal. > > Just don't want it forgotten that just as it is in repo1.m.o it may not be in > uk.m.o  (and if it is in the process of being synced could be only be > partially there?) > > Thanks for the quick workaroun

Re: central repo?

2011-05-06 Thread Brian Fox
ated. > > -o > > On 2011-05-05, at 12:52 PM, Brian Fox wrote: > >> Than you, i'll let the team know. >> >> Also, we've adjusted how the redirects work and included a static page >> so people don't feel like the repo was hijacked: >> ht

Re: Problem resolving snapshot version of plugin thru a Mirror

2011-05-05 Thread Brian Fox
> > After debuging Maven I noticed that even having the mirror defined, > SNAPSTHOP version of plugins always were resolved agains Maven`s central > repository (repo1.apache.org). So we found a workaround  overriding central > and snapshot repositories in the setting xml. After that, it worked. > >

Re: central repo?

2011-05-05 Thread Brian Fox
wse > > I had a friend try his system with IE8 and it worked fine.  Needless to say > Chrome and FF work just fine. > > -Jim > > -Original Message- > From: Brian Fox [mailto:bri...@infinity.nu] > Sent: Thursday, May 05, 2011 8:50 AM > To: Maven Users List &g

Re: central repo?

2011-05-05 Thread Brian Fox
On Thu, May 5, 2011 at 7:09 AM, Anders Hammar wrote: > Regarding the "m2e indexes", at what time are they updated? 3:22 CST daily. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: use

Re: central repo?

2011-05-05 Thread Brian Fox
#x27;t anticipate huge numbers of downloads through the search system. > Regards, > >        /james > > -Original Message- > From: Brian Fox [mailto:bri...@infinity.nu] > Sent: 05 May 2011 12:06 > To: Maven Users List > Subject: Re: central repo? > > This was

Re: central repo?

2011-05-05 Thread Brian Fox
This was an attempt to block the constant scrapers that are attempting to crawl the entire repository for no good reason, and the bandwidth isn't free. The index used to serve the search is not the same index used by M2e. Fwiw, the m2e indexes are updated daily now, but I need to see why this inde

Re: Enforcer banned dependencies... Not working ?

2011-04-18 Thread Brian Fox
The warning is talking about the plugin versions rule. Off hand nothing jumps out as being wrong with the config to me. It's been too long since I wrote this rule to recall off the top of my head how it's processed. Take a look at the code and see how includes, excludes are handled. There may be so

Re: maven-dependency-plugin uses target dir instead of artifacts from repository

2011-04-11 Thread Brian Fox
ect I get target/classes. > > That seems to be the opposite to what you have described? > > /Lucas > > > On 04/08/2011 07:52 PM, Brian Fox wrote: > > It's not a hack, the plugin asks maven core to resolve the artifacts and the > objects it gets back have file han

Re: maven-dependency-plugin uses target dir instead of artifacts from repository

2011-04-08 Thread Brian Fox
It's not a hack, the plugin asks maven core to resolve the artifacts and the objects it gets back have file handles. In reactor builds with sibling dependencies, those handles point to the sibling target folder. If you do a compile reactor build, those handles will point to the /target/classes fold

Re: Central Repository IP Address Change?

2011-03-10 Thread Brian Fox
The ip change is part of some networking and hosting upgrades that we've undertaken to ensure the stability of the repository. We actually have 4 systems now that could be serving Central at any given time. There are 2 hosts in the UK and two virtual machines in the US (served from a 6 node cluster

Re: Build Site for parent module, but skip the children?

2011-03-01 Thread Brian Fox
mvn -N site-deploy On Tue, Mar 1, 2011 at 4:50 PM, Brian Ferris wrote: > I have a large multi-module project that I wish to build a site for using > Maven's site functionality.  The trick is that I'd like to avoid building > the sub-module sites as well.  Building the individuals sites for each >

[Announce] Maven Dependency Plugin 2.2

2011-02-22 Thread Brian Fox
The Maven team is pleased to announce the 2.2 release of the Maven Dependency Plugin: http://maven.apache.org/plugins/maven-dependency-plugin Release Notes - Maven 2.x Dependency Plugin - Version 2.2 ** Bug * [MDEP-138] - unpack of tar files fail with ArchiverException: chmod exit code was

Re: Deployment in Repository without version in file name?

2011-02-16 Thread Brian Fox
you can also use the dependency plugin to copy/fetch files and strip off the version. On Wed, Feb 16, 2011 at 3:37 AM, Marc Rohlfs wrote: > Another idea might be: > 1. In Your Maven project, create a text file with the following content: > http://your-nexus/your-nexus-repo/${project.artifactId}-$

Re: java.net versus central

2011-02-12 Thread Brian Fox
We are working on this already --mobile On Feb 11, 2011, at 8:34 PM, Benson Margulies wrote: > I am hoping that some person who works at Sonatype will have pity on me. > > People who work for Oracle seem to have strong feeling that they are > only supposed to deliver things to the java.net repo

Re: Adding upward compat to maven 2.2.x for settings.xml

2011-02-11 Thread Brian Fox
What new features specifically? On Fri, Feb 11, 2011 at 10:56 AM, Benson Margulies wrote: > Would there be any sympathy for a JIRA asking for a maven 2.2.x change > so that the new features of settings.xml (e.g. mirrors) would be > tolerated by maven 2? Since you all didn't change the conventiona

Re: Dependencies get unpacked over and over again

2011-02-03 Thread Brian Fox
fyi, I'll try to cut the release this weekend. On Thu, Feb 3, 2011 at 2:31 PM, Wayne Fay wrote: >> Good news.  I delved into this last week and came up with an even >> better patch, and the developer Brian Fox just applied it! > > Great job, Phillip. We need more

Re: Using Apache parent pom

2011-02-02 Thread Brian Fox
Hi Craig, there's also release-disc...@apache.org to talk about release processes specific to Apache. On Tue, Feb 1, 2011 at 5:54 PM, Craig L Russell wrote: > Thanks Kalle, looks like the right level for me to master before I ask more > detailed questions. > > Craig > > On Feb 1, 2011, at 2:48 PM

uk.maven.org mirror ip change

2011-01-19 Thread Brian Fox
AIRN is requiring that Contegix renumber our machines in the UK so tonight one of them will change and tomorrow the other will change. As always, you should address them using http://uk.maven.org to allow failover but I know occasionally people have to poke holes in their firewalls based on ip. --

Re: dependency:build-classpath seems to ignore configuration

2011-01-17 Thread Brian Fox
i don't think the classpath is filtered based on those values in this goal, it just dumps the actual classpath that would match the desired scope. On Mon, Jan 17, 2011 at 10:52 AM, John Anderson wrote: > I am trying to use dependency:build-classpath. If I run "mvn > dependency:analyze" all seems

Re: Maven 3: deploy-file error 500 on Nexus Repo

2011-01-14 Thread Brian Fox
The 500 is an internal error on the Nexus side. We'll need to see your Nexus logs to see what happened. You should send those to the nexus user list for a quicker answer. On Fri, Jan 14, 2011 at 9:01 AM, martib wrote: > > I'm facing a problem under M3.0.2 or 3.0.1 with Nexus Repository >  mvn dep

Welcome Wayne Fay to the Maven PMC

2011-01-14 Thread Brian Fox
mentation since he's so good at answering questions ;-) Welcome Wayne! --Brian Fox Apache Maven PMC Chair - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org

Re: How to resolve 'LATEST'

2010-12-17 Thread Brian Fox
Don't use RELEASE or LATEST. On Fri, Dec 17, 2010 at 7:43 AM, Asmann, Roland wrote: > Hi all, > > I'm writing an enforcer-rule, that should check if my parent is the > LATEST version. How can I get the actual version for 'LATEST'? > > Thanks! > > -- > Roland Asmann > Senior Software Engineer > >

Re: SNAPSHOT with latest timestamp is used, right?

2010-12-06 Thread Brian Fox
You shouldn't mix unique and non-unique versions of the same snapshot artifact --mobile On Dec 6, 2010, at 5:22 PM, "KARR, DAVID (ATTSI)" wrote: > If I have an artifact with version "n.n.n-SNAPSHOT" in my "user" repo > and the same artifact with version "n.n.n-SNAPSHOT" in the "local" nexus > r

Re: How to download transitive dependencies

2010-12-03 Thread Brian Fox
dependency:copy-dependencies sounds like what you want. On Fri, Dec 3, 2010 at 7:41 AM, amaresh mourya wrote: > Hi, > > >     >       >       >        ${project.groupId} >        maven-utils >        ${project.version} >       > >       >       >        log4j >        log4j >        1.2.14 >    

Re: webservice for maven artifact search?

2010-12-02 Thread Brian Fox
Repository.apache.org exposes nexus' rest interface --mobile On Dec 2, 2010, at 4:44 PM, Russ Tremain wrote: > anyone know of a web-service interface to any of the public maven artifact > lookup services? > > tia, > -russ > >

Re: maven-dependency-plugin 2.2 release?

2010-12-02 Thread Brian Fox
Soon. I resolved a ton of issues at ApacheCon and just ran out of time to wrap it up. I'll be getting back to it in the next week or so. On Wed, Dec 1, 2010 at 10:19 PM, Dan Tran wrote: > me too :-) > > On Wed, Dec 1, 2010 at 10:04 AM, Jim McCaskey > wrote: >> Hello all, >> >> I ran across a pro

Re: Maven Central Repository & Bad Checksums

2010-12-02 Thread Brian Fox
We do a little bit of sleuthing when resolving these types of issues to make sure the file hasn't been changed, which is why automatic correction isn't implemented. We are working on process to ensure that no new things come in this way. It can only happen today via the old rsync mechanisms and tho

Re: FYI Repo "hacked"?

2010-11-29 Thread Brian Fox
Lets look at this closely: On Mon, Nov 29, 2010 at 8:36 AM, Jon Strayer wrote: > On the 24th of November my reports build failed.  The failure message is: > Unable to read local copy of metadata: Cannot read metadata from > 'e:\repo\org\apache\maven\skins\maven-default-skin\maven-metadata-java.ne

Re: How to download an artifact with sources and/or javadocs ?

2010-11-14 Thread Brian Fox
mvn dependency:sources and/or mvn dependency:resolve -Dclassifier=sources or -Dclassifier=javadoc if you use m2eclipse, then it will get the sources/javadocs automatically as needed. On Sun, Nov 14, 2010 at 12:26 PM, piloupy GOTTAPIL wrote: > Hi, > > I've search for nearly half a day, and I did

GAE Service abusing public Maven repos

2010-11-09 Thread Brian Fox
We've just discovered a Google App Engine app called pomyard abusing several repos. Based on the behavior and name of the service, I have reason to believe they may be attempting to scrape public all maven repos not just central, ignoring robots.txt. If you have a public repo, I suggest you block t

[ANN] Maven Enforcer Plugin 1.0

2010-11-08 Thread Brian Fox
The Maven team is pleased to announce the release of the Maven Enforcer Plugin, version 1.0 Maven Enforcer Plugin - The Loving Iron Fist of Maven™ The Enforcer plugin provides goals to control certain environmental constraints such as Maven version, JDK version and OS family along with many more s

Re: Problems using maven-dependencies-plugin

2010-11-05 Thread Brian Fox
The use of the non-standard scopes is not currently a valid use case, so I'd say it's flexmojos with the bug here. It may work for now but who knows what those scopes could do to other tools. On Fri, Nov 5, 2010 at 1:27 PM, Rafael Adson Barbosa Barros wrote: > Hi, > > I'm trying to use maven-depe

Meetup at ApacheCon in Atlanta

2010-11-01 Thread Brian Fox
If you happen to find yourself in Atlanta on Wed, Nov 3rd at 8pm, and want to talk about Maven, come join the meetup. You can find details and the signup page here: http://na.apachecon.com/c/acna2010/schedule/meetups - To unsubscr

Re: Classifier now required by assembly plugin

2010-10-25 Thread Brian Fox
A simple scan of the release notes reveals this was introduced intentionally by MASSEMBLY-464 On Mon, Oct 25, 2010 at 4:58 PM, Wendy Smoak wrote: > On Mon, Oct 25, 2010 at 1:07 PM, Haszlakiewicz, Eric > wrote: >>>-Original Message- >>>From: Wendy Smoak [mailto:wsm...@gmail.com] > >>>Have

Re: Classifier now required by assembly plugin

2010-10-25 Thread Brian Fox
I'll add comments but I don't think this is a bug. On Mon, Oct 25, 2010 at 4:23 PM, Phillip Hellewell wrote: > On Mon, Oct 25, 2010 at 11:07 AM, Haszlakiewicz, Eric > wrote: >> >> I was finally able to test this with the 2.2 release version, and it >> fails for me too, so I created a issue in Ji

Re: Maven Upload Requests separate binaries and sources jar restriction

2010-10-22 Thread Brian Fox
That's not used anymore, you want this: https://docs.sonatype.org/display/Repository/Uploading+3rd-party+Artifacts+to+Maven+Central On Thu, Oct 21, 2010 at 5:55 PM, Stevo Slavić wrote: > Hello Apache Maven users, > > On Maven Upload Request JIRA > pro

New official Central repository in Europe

2010-10-19 Thread Brian Fox
As you know, Maven Central has become an increasingly important resource for the development community at large. We've put several efforts forward earlier this year to help improve the content As you know, Maven Central has become an increasingly important resource for the development community at

Re: Use properties to get name of dependency...

2010-10-10 Thread Brian Fox
Once something is deployed to a repo, the finalName has no effect because the name of the file in the repo is part of the layout standard. FinalName only affects the jar/war etc that gets created in the /target folder. S, that means you can always know what the name of the dependency file is,

Re: ${version} in 3.0

2010-10-10 Thread Brian Fox
Perhaps some -X debug output would help track down where this comes from. If it's coming from processing of a dependency's pom, then I would say that you should file a bug report since warning about a pom you can't control just makes this noise and will cause people to ignore valid warnings. On Sa

  1   2   3   4   5   >