The odd thing is that the pom blocked in the original message, org.jboss.weld:weld-parent:pom:6, is available on central:
https://repo1.maven.org/maven2/org/jboss/weld/weld-parent/6/weld-parent-6.pom I haven't been able to find anything in that dependency chain that isn't also on central - but some of them do refer to remote repositories (which apparently is allowed, but is discouraged) Anyway I'm happy to change this dependency to a later version like 1.2 that has the remote repository in a separate profile. On Sat, 14 Aug 2021 at 20:36, Michael Osipov <micha...@apache.org> wrote: > Am 2021-08-14 um 21:25 schrieb Delany: > > Ok, sorry I didn't mention before you released, I wasn't sure of my > setup. > > https://issues.apache.org/jira/browse/MNG-7214 > > Thanks, I just did a git log on the pom.xml and this issue existed for > at least five years in the codebase, no one ever noticed before the HTTP > blocker or being behind a firewall and working w/ a repo manager. > > > On Sat, 14 Aug 2021 at 20:56, Michael Osipov <micha...@apache.org> > wrote: > > > >> Thank you very, very much for this edge case. > >> > >> Gosh, I hate all of this JBoss conglomerate with a passion. > >> > >> This is our problem: > >>> [INFO] | +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.4:compile > >>> [INFO] | | \- javax.enterprise:cdi-api:jar:1.0:compile > >>> [INFO] | | \- javax.annotation:jsr250-api:jar:1.0:compile > >> > >> Guess what, although javax.enterprise:cdi-api is in javax namespace its > >> parent is > >>> <parent> > >>> <groupId>org.jboss.weld</groupId> > >>> <artifactId>weld-api-parent</artifactId> > >>> <version>1.0</version> > >>> <relativePath>../parent/pom.xml</relativePath> > >>> </parent> > >> > >> WTF? How is this possible? Who signed this? The API should be completely > >> decoupled of Weld. The repo is burried in the parents. This is > >> absolutely unacceptable. It leaks now in the entire buildchain for > >> everyone who depends on our artifacts. > >> > >> We can do two things here: > >> 1. Exclude this transitive dependency and lose @Typed in Plexus to JSR > >> 330 migration > >> 2. Ask Stuart McCulloch to push a new Sisu release with updates to CDI > >> 1.2 which parents do not have a repo anymore. > >> > >> Still leaves a very bad after taste.... > >> > >> Please file an issue, I will try talk to Stuart. > >> > >> I think this is ugly enough to justify 3.8.3 for all of those who > >> depends on our JARs. Plain Maven users aren't affected. > >> > >> Michael > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > >> For additional commands, e-mail: users-h...@maven.apache.org > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >