There are a couple of things happening here.
1. dependencies are checked even though they are downloaded
This ensures that the build doesn't rely on *your* *local* repository. At
any time anybody should be able to build the project, it even should be
possible that you remove your own local repo, so it is important that all
dependencies are available via a remote repository.
2. dependencies are verified against their original remote repository.
Recently I read an article about an interesting case regarding downloads
of multiple repositories. (sadly I can't find it anymore).
IIRC what happened is that they noticed a change in behavior of an
application. After a while they discovered that some third party
repository was used before Maven Central for downloading dependencies and
one library was changed in this third party repository. The solution was
simple: use Maven Central as the primary repository at all time.
This might explain why it is important to not just trust the
groupId+artifactId+version. The (original) source/repository or additional
kind of checksum is as important.
thanks,
Robert
On Fri, 21 Dec 2018 13:33:10 +0100, Zoran Regvart <zo...@regvart.com>
wrote:
Hi Mavenistas,
I was recently quite puzzled on why Maven is trying to download a
dependency already present in the local repository and I tracked it
down to this comment in EnhancedLocalRepositoryManager[1]:
"artifact downloaded from remote repository is accepted only
downloaded from request repositories"
So regardless of the artifact being present in the local repository an
attempt is made to download it again if the id of the repository
doesn't match the id of the repository stored in
`_remote.repositories` file.
I think that this will prevent anyone trying to reuse a local
repository with artifacts downloaded from unknown/unconfigured
repository in an offline build.
Can someone shed some light on the rationale behind this?
Thanks :)
zoran
[1]
https://github.com/eclipse/aether-core/blob/4cf5f7a406b516a45d8bf15e7dfe3fb3849cb87b/aether-impl/src/main/java/org/eclipse/aether/internal/impl/EnhancedLocalRepositoryManager.java#L106-L107
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
