Maven Evangelism

log4j 1.2.15 points to nonfuctional maven-repository.dev.java.net packages breaking whole build

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Resolution: Won't Fix
  • Component/s: None
  • Labels:
    None
  • Group ID:
    log4j
  • Artifact ID:
    log4j
  • Version:
    1.2.15

Description

Log4j 2.1.15 dependency from central repository has dependencies linked to https://maven-repository.dev.java.net/nonav/repository - jmxri, jmxtools and java mail (and others?). These denpendencies are broken or the whole external repository is unaccesible by now.

Is it even permitted to have "external" dependency for a package in central repository?

I found it hard to find how to disable a repository (block a repository) so I am using this opportunity for a micro how to for unlucky ones like me.

Troubled dependency definition:
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.15</version>
</dependency>

Error log (shortened) ----------------------

[INFO] Scanning for projects...
...
[INFO] Copying 1 resource
Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
353/353b
353b downloaded (jmxri-1.2.1.jar)
357/357b
357b downloaded (jmxtools-1.2.1.jar)
[WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = 'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - RETRYING
Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
353/353b
353b downloaded (jmxri-1.2.1.jar)
[WARNING] [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = 'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - IGNORING

      • CHECKSUM FAILED - Checksum failed on download: local = '9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - RETRYING
        Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
        357/357b
        357b downloaded (jmxtools-1.2.1.jar)
        [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = '9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - IGNORING
        ...
        [INFO] Compilation failure
        ...
        error: error reading /opt/javalibs/com/sun/jdmk/jmxtools/1.2.1/jmxtools-1.2.1.jar; error in opening zip file
        error: error reading /opt/javalibs/com/sun/jmx/jmxri/1.2.1/jmxri-1.2.1.jar; error in opening zip file

Solution (1) - Disable repository (settings.xml).
Note, it is much more tricky that it seems to be! It gave me hard time before I found out. Documentation should be improved here.
1) Tricky, you have to do it for releases and snapshots. There is no repository wide disabling option.
2) You have to provide not just same (failing) repository URL but more importantly the same repository ID as it is in ill referencig POM (log4j 2.1.15 in our case)
3) Blacklisting repository is something completely different then disabling. Not usable in this case . It is not ad hoc settable by user anyway
OK, here is the code:
<profile>
<id>default</id>
...
<repositories>
<repository>
<id>java.net</id>
<Unable to render embedded object: File (-- IMPORTANT) not found.!! you have to use same ID as in affected POM otherwise it does not work -->
<url>https://maven-repository.dev.java.net/nonav/repository</url>
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</profile>

Solution (2) - exclude the "external" sub-dependencies of log4j 2.1.15, like jmxri, jmxtools and java mail. And perhaps others. It takes more time to figure out what else "external".

Solution (3) - the best one. Use version log4j 2.1.14 instead. It seems to be OK.

Issue Links

This issue is duplicated by:
MEV-656 Log4J 1.2.15 POM references bad javax.mail POM Closed
This issue is related to:
WAGON-314 Permament move (error 301) not handled properly by Lightweight HTTP Wagon Minor Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jan Uhlir added a comment -

Solution (1) - Disable repository (settings.xml).
<profile>
<id>default</id>
...
<repositories>
<repository>
<id>java.net</id>
<!-- you have to use same ID as in affected POM otherwise it does not work -->
<url>https://maven-repository.dev.java.net/nonav/repository</url>
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</profile>

Show
Jan Uhlir added a comment - Solution (1) - Disable repository (settings.xml). <profile> <id>default</id> ... <repositories> <repository> <id>java.net</id> <!-- you have to use same ID as in affected POM otherwise it does not work --> <url>https://maven-repository.dev.java.net/nonav/repository</url> <releases> <enabled>false</enabled> </releases> <snapshots> <enabled>false</enabled> </snapshots> </repository> </repositories> </profile>
Hide
Permalink
Jan Uhlir added a comment -

https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
forwards to
http://download.java.net/maven/1/com.sun.jmx/jars/jmxri-1.2.1.jar
which ends up with:
Not Found. The requested object does not exist on this server.

This is mainly https://maven-repository.dev.java.net repository issue, but because package from you central repository references this broken package it is a bit of your issue now too

Show
Jan Uhlir added a comment - https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar forwards to http://download.java.net/maven/1/com.sun.jmx/jars/jmxri-1.2.1.jar which ends up with: Not Found. The requested object does not exist on this server. This is mainly https://maven-repository.dev.java.net repository issue, but because package from you central repository references this broken package it is a bit of your issue now too
Hide
Permalink
Carlos Sanchez added a comment -

Log4j team need to fix the pom for their next release, you need to talk to them.

They probably want to make these dependencies optional and they must remove the repositories section

1) com.sun.jmx:jmxri:jar:1.2.1
2) com.sun.jdmk:jmxtools:jar:1.2.1
3) javax.jms:jms:jar:1.1

In the meantime you can exclude them

Show
Carlos Sanchez added a comment - Log4j team need to fix the pom for their next release, you need to talk to them. They probably want to make these dependencies optional and they must remove the repositories section 1) com.sun.jmx:jmxri:jar:1.2.1 2) com.sun.jdmk:jmxtools:jar:1.2.1 3) javax.jms:jms:jar:1.1 In the meantime you can exclude them
Hide
Permalink
Kalle Korhonen added a comment -

I had filed https://issues.apache.org/bugzilla/show_bug.cgi?id=48216 to mark the optional log4j dependencies as optional (but status is still NEW)

Show
Kalle Korhonen added a comment - I had filed https://issues.apache.org/bugzilla/show_bug.cgi?id=48216 to mark the optional log4j dependencies as optional (but status is still NEW)
Hide
Permalink
Dennis Lundberg added a comment -

This has already been fixed in
https://issues.apache.org/bugzilla/show_bug.cgi?id=43304

Show
Dennis Lundberg added a comment - This has already been fixed in https://issues.apache.org/bugzilla/show_bug.cgi?id=43304

People

Vote (3)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.