I have a problem with a Maven artifact from a predecessor.
He modified an external maven library and uploaded it under the same version name to the Nexus releases repo.
When I build my project I obviously get the official version and not the intended.
Locally I just overwrite my local .m2 repo with it.
But for our cicd server this is not an outcome, because I have no file system access, and because the situation might repeat itself.
There is no source code so rebuilding and reversioning would be cumbersome.
My question is: how can I force to get the artifact downloaded from the releases and not the default central repo, meanwhile getting all other dependencies come from the latter?
Related
We have a dependency third-party library that is available online in jar form, but it is not in Maven Repository, or known to be in any other repository.
How can we use pom.xml to auto-retrieve this dependency, based on a URL?
We don't want to store it in our Git repo, because that's A Bad Thing.
The idea here is that when people check out the project, they can use their IDE Maven integration (or just mvn command line tools) to download all the dependencies. So we would want to be able to also download this other third party dependency just like all the ones in Maven repo.
I have not been able to come up with an answer to this based on searches -- all solutions seem to be "download it first and create a local repo." Obviously Maven can download from the Internet, since that's how it connects to Maven Central and other repos. So I don't see why it cannot download arbitrary URLs that present packages in recognizable formats.
Long term, the best solution is to use your own artifact repository like Nexus, Artifactory or Archiva.
All of these have a manual upload function that you can use to set the groupId, artifactId and version, so you can then refer to the artifact as usual.
If you want to go really low tech, I think you can just put some machine's local repository behind an Apache, provided you grant read/write access.
Then you need to add your new repository in the Maven settings.xml file, as described here.
Maven uses the coordinates to navigate the repository (which has a specific layout) and verify artifact checksums for corruption/tampering using metadata files in specific locations of the repo.
AFAIK this is similar to other package management systems like APT and RubyGems that use repo manifests and don't allow arbitrary URL downloads.
Skipping the repository manager
If you really don't want or can't use a repository manager, you can always download the artifact and manually install it using the Maven Install Plugin:
mvn install:install-file -Dfile=your-artifact-1.0.jar -DgroupId=org.some.group -DartifactId=your-artifact -Dversion=1.0
However, you'll have to do this on every machine that runs the build, every time that artifact needs to change.
Unfortunately, my project has an external dependency that was never published to any Maven repository. The only way I can get it is by direct download from github (they pushed the binary to github).
One (bad) way is to download the jar manually and commit/push it to my code repository (git). It wouldn't help me to manually deploy this artifact in my local binary repository because I share this project with external contributors that cannot access my private binary repo.
I wonder if maven has a better way to handle this? (Given that I can't upload the artifact to my repo or public repo).
I know that npm allows getting some dependencies from URL. Does maven support it as well?
AFAIK there is no nice way to handle this. You could
Write a script that downloads the jar and installs it in your local Maven repository. This script could be shared through your code repository.
Include downloading and installing the artifact into the Maven build process (by writing a Maven plugin or using the antrun plugin)
Set up a nexus in the cloud that everyone in your team can access.
I have trouble understanding, why maven has to check for updates each time we build a project.
The pom has specific version mentioned for each dependency. Once those versions are downloaded to the local repo, then maven can use that local copy to build the project. So why does maven have to check for updates when we build the project each time other than just using the local copy?
a side question.
can a maven artifact be changed after releasing it to a repo under a specific version?
As per Maven, an artifact mainly can be of two types - a RELEASE one and a SNAPSHOT one. RELEASE dependency(eg: 1.0.1, 2.3.0 etc) of an artifact is a source of truth. Means 1.0.1 version of a jar (say test.jar) will always be the same always. We will release artifacts to remote repository, whenever the product matures or after a sequence of bug fixes.
On the other hand, a development is on going in a project, then specified its version number as SNAPSHOT(eg: 2.0-SNAPSHOT, 1.1-SNAPSHOT etc).
Say if we specified test-2.0-SNAPSHOT.jar as dependency in our project pom. If we look at the remote repository (Nexus, archiva etc), we can see that it is not saved as version 2.0-SNAPSHOT rather it will be saved artifact version as date-timestamp-buildnumber format, the date-timestamp at which the artifact was built and uploaded to remote repo. (eg: test-2.0-20150105082634.jar)
So when ever the development team does the fix for an issue on a daily basis the updated jar with date timestamp will be in uploaded to the remote repo. So it is necessary for maven to do look up for the latest date timestamp of SNAPSHOT artifacts. Maven does this by maven-metadata.xml file in the artifact directory in the repo.
Hope this clarifies your query. Let me know, if you need any clarifications
I inherited this project which used to build & run successfully (years ago...). Now when checked out from version control, as is, it complains:
Unable to find resource 'opensymphony:quartz-all:pom:1.6.3' in
repository central (http://repo1.maven.org/maven2)
But following that repository link (http://repo1.maven.org/maven2) leads to a browsable site that shows clearly that this resource is available: http://search.maven.org/#browse|1030701351 !
I have even been able to manually download it, and I can also find it in my local repo (C:\maven\repo\opensymphony\quartz-all\1.6.3\quartz-all-1.6.3).
So, my questions:
Why is Maven complaining at all, if it is there?
How did it get to my local repo, if Maven couldn't find it?
Your local repository is NOT in C:\maven ... it is in your users directory ~/.m2/repository
To debug what is really going on I would suggest to deactivate the ~/.m2/settings.xml (e.g. by renaming it) and do a clean build without any of the old artifacts and from a fresh local repository (just delete ~/.m2/repository)
That would tell you what is really missing.
If anything is missing that means it is not in the Centra Repository (http://search.maven.org). As a next step I would then install a repository manager in your network. I would recommend using Sonatype Nexus (open source, free book as documentation) and then add any other repositories or missing artifacts in there.
I have setup an in-house Sonatype Nexus repository and configure the maven to check my local Nexus instead of getting artifacts directly from public repositories.
http://www.sonatype.com/books/nexus-book/reference/config-sect-intro.html
Our project was able to download the most artifacts except one artifact in Maven central.
Here is the build error:
Failed to execute goal on project shindig-gadgets: Could not resolve dependencies for project org.apache.shindig:shindig-gadgets:jar:3.0.0-SNAPSHOT: Could not find artifact com.ibm.icu:icu4j:jar:4.6 in nexus (http://my_nexus_repository:8081/nexus/content/groups/public) -> [Help 1]
I see that icu4j-4.6.jar does exist in the Maven central repository. On my local nexus repository, it doesn't exist. I see only icu4j-4.6.pom exists on my local nexus repository.
It's not like my nexus repository setting is totally broken. maven project has successfully downloaded numerous jar files from multiple public repositories via my local nexus maven repository except icu4j-4.6.jar.
I don't understand why I'm having a problem with only icu4j-4.6.jar. Would it be incorrectly cached on either my local maven or nexus maven repository?
If it was incorrectly cached, how can I clean the local maven or nexus maven repository?
The similar problem is described at
Missing maven dependency using nexus setup
icu4j-4.6.jar does not show up in the search list. Only icu4j-4.6.pom shows up in the search list. I don't think is Snapshot VS Release issue because icu4j-4.6.jar seems release jar.
Is it possible that the nexus repo just stopped responding for a while? You can try mvn -X (or -d?) to get detailed info about what is going on. You might also try configuring an alternative repo.
Perhaps you haven't enabled remote index downloads from Maven Central. This would explain why only the POM file appears in your local search (The only file which has been downloaded via the proxy repo).
There might be another issue causing the download failure for the jar itself.... I suppose try and solve one problem at a time :-)
Try adding -U to your mvn arguments to force an update of your local repository.
You could also have corrupt meta data in the repo. In which case, delete that artifact from the repo's cache and let it refresh.
If the artifact in question was cached in properly from the proxy repository, using mvn -U will fix the problem
However if you are seeing pom on your nexus ,this usually happens when the artifact from the proxy repository is not cached in properly. The way to fix is
1) Browse to the component in the Proxy Repository.
2) Invalidate the cache for the repository and reindex the Nexus repository.
3) run mvn clean -U