Maven Central is which exactly repository? - maven

Are https://mvnrepository.com/repos/central and http://central.maven.org/maven2/ the same maven repository (called Maven Central)?
Also there is https://repo.maven.apache.org/maven2/ which also calles itself a Central Repository.
I use mvnrepository.com as I find it more convenient, but many referencies to Maven Central in Internet lead to http://central.maven.org
Besides both sites above are for Maven2, right?
What are the analogues for Maven3?
Besides is Maven3 widely used?

As far as I know, mvnrepository is just a search site that is not maintained by the maven people directly. It's a search site as I see it. It has been around for a while. Since it contains multiple repository source to search in and lets you select which one you work with its pretty transparent and I don't see any harm there.
If you execute mvn help:effective-settings you should be able to determine what repositories are used, in case some changes where made. The current central default in maven seems to be https://repo.maven.apache.org/maven2/ - the official search interface being https://search.maven.org/
You can also look into the maven sources of the pom what config you running on.
The /maven2/ part in the Uri only means what repository format is used within. This has not changed for maven 3 (it was different for maven 1). So it's the correct and current one today, there is no maven 3 repository format. Everything new could be added to the maven 2 format (for example some search index files or checksum files).

Related

List users of an artifact in a repository

I need a tool that will help to find all artifacts that reference another artifact.
When I rebuild an artifact, I need to update/rebuild all artifacts that were using the old version. But I work in a big organisation, and nobody knows really where the artifact is spread in the organisation, so nobody is ever completely sure that everybody use the latest versions.
What I need would be a tool - maybe an artifactory plugin or feature, or a maven plugin doing a lookup in the repository - that indexes all the known poms, and is able to make a listing of all artifacts that have the updated artifact in their dependencies, either directly and transitively. Thus a list of artifacts I would need to rebuild. Quite the opposite of dependency:tree.
Filtering that list by repository, groupId, packaging, etc. is a nice to have. But I can live without.
Any idea?
You can use the Artifactory Query Language with the REST API to do that. For example, if you want to find all builds that use "MySuperAwesomeDependency-1.0.2" your AQL statement would be something like:
//Find builds that use a dependency that is a snapshot
builds.find({"module.dependency.item.name":{"$match":"MySuperAwesomeDependency-1.0.2*"}})
The key in the above statement would be the module.dependency.item.name, which allows you to search for dependencies by name, assuming you store the dependencies in Artifactory.

Use a maven repo which does not have pom files

We have a large custom artifact repository which is used by our old internal ant builds.
It stores jars in much the same way that a maven repository does. i.e.
http://repo/root/<group>/<artifact>/<version>/<artifact>-<version>.jar
But, this repository does_not_ contain pom files. Just jars and src jars.
We are now migrating a whole lot of projects to using maven/gradle, these use an Artifactory installation that we have. But the projects still have a lot of dependencies on artifacts stored in the old repository.
I was wondering if anyone knew a way of accessing this old style repo (which does not have poms) using maven/gradle?
We could synthesize and insert a whole lot of simple poms, which just have group/artifact/version etc, and no dependencies. But was wondering if there might be a simpler way.
After all, the group/artifact/version is in the path itself. The poms never contain dependencies, so in this situation the poms wouldn't (as far as I can see) provide any additional info.
Any advice/help would be greatly appreciated.
When you transform the projects to Maven, you need to touch the dependency definitions. You need to to replace old, file-based accesses by Maven coordinates.
Therefore, I would suggest the following (we did something very similar, only with a Windows network drive instead of a http based repository):
Write a script that uploads all your artifacts from the old repository to your artifactory. If you use maven deploy:deploy-file, Maven will create stub poms for you.
Write scripts for the developers that translate the references on the old repository by the respective Maven coordinates for the pom.
As a side note: In our company, the old "repository" and the Maven repository were actively used (and written to) at the same time, so we developed a two-way synchronisation job between our Nexus and the old "repository".
Gradle doesn't need pom files, if they aren't available it should just reference the jars directly. So this should "just work"
repositories {
maven {
url "http://repo/root"
}
}
If, for some reason, there's slight differences you could use the Ivy repository. See custom ivy repositories and IvyArtifactRepository Eg:
repositories {
ivy {
url "http://repo/root"
layout "pattern", {
artifact "[organisation]/[module]/[revision]/[artifact]-[revision](-[classifier])(.[ext])"
}
}
}

What is the significance of using -U (force update of dependencies) attribute in maven practically?

Observation:
I was testing how Maven retrieves artifacts when building artifacts using mvn package (or) mvn install command. I noticed that Maven was connecting to the Internet to get the dependencies every single time. There was not much time gap (maybe around 1 or 2 minutes) between successive runs as well.
Question:
Therefore, if Maven connects to Internet (or the repository provided in my settings.xml) every time by default, why do they have a separate attribute that can force update (The -U attribute which is used like this: mvn install -U of a snapshot from the repo? What is the factor that governs/decides between connecting to an external repo or using local repo for retrieving dependencies?
Reference:
(Please refer http://www.sonatype.com/node/158?file=books/maven-definitive-guide.pdf Page 93 to know more about this attribute). The reference just explains about the attribute but the governing principle behind it is not explained.
I find -U/--update-snapshots to be a helpful hint at best, and seems to be different in Maven2 vs. Maven3.
Even with release artifacts, maven3 sometimes requires it to update the artifacts on both specific versions and version ranges. Other times, my local repository gets updated correctly. Go figure.
Do you know what artifacts Maven is checking/receiving when not specifying -U? I think, but have not confirmed, that Maven is checking/downloading plugins, which may have different rules than the dependencies in your POM.
The only way to truly convince Maven to not check outside the local repo is to use -O/--offline and then it'll use whatever you have.

Download specific POM file using it's Maven artifact

I'm new to Maven, but the big picture is that I need to download (in command line) the POM file of a certain artifact which is in a remote maven repository (Artifactory) using just it's artifact name and making it dynamically (by giving only the repository root path and the name of the artifact, so I can change it's location inside the repository and still download it).
My first question is: is that possible, or I have to detail the whole artifact path, groupId, artifactId and version?
Second point:
I managed to download the artifact using this maven command but it only gets the .jar, not the POM file:
mvn dependency:get -DrepoUrl=MY_REPO_LOC
-Dartifact=MY_ARTIFACT_LOC:MY_ARTIFACT_NAME:ARTIFACT_VERSION
Any idea on how can I do that?
First, you don't need maven for that. You choose a binary repository, which can give you the solution directly. Here's how:
Since you don't know the location of the artifact (I'd assume in terms of repository name? Because all the rest is pretty much locked by Maven and you do know all the path if you know the GAVC) and you don't want to list the groupId and version, you have to search and be prepared to receive multiple results, on which you'll have to imply some logic to determine which one you need.
Here's how you search in Artifactory from command line: http://wiki.jfrog.org/confluence/display/RTF/Artifactory%27s+REST+API#Artifactory%27sRESTAPI-SEARCHES
I'd recommend GAVC Search, since you know the artifactId.
If it's only the version which is unknown, and you just want to get the latest version, you can just use the latest artifact retrieval call or latest version search.

Maven and ibiblio

I searched a lot in apache documentation and ibiblio.org and I could not find a decent straight answer.
My questions:
When I download a jar using maven dependency (setup in pom), how can I be sure that the file does not change on the remote repository? for example, if I'm using log4j version 1.2.3, downloaded from ibiblio.org (or any other repo for that matter), how can I be sure I'm getting the exact same jar each time?
Does maven delete jars from the local repository? let's assume I'm not clearing the repository at all, will it fill up eventually? or does maven have some kind of mechanism to clear old jars?
In Maven conventions a released version like log4j 1.2.3 will never be changed. It will be left in your locale repository until you manually delete it. It can't be changed by anyone except for the admins on maven central, but i suppose they don't do such a stupid thing.
Furthermore the download by default is done from maven central (repo1.maven.org/maven2 instead of ibiblio).
One of the "tricks" in Maven is download an artifact (released) only once...that improved your build performance in contradiction to the SNAPSHOT dependencies.
You could configure your own repository, and point all your project poms at that. It's easy to configure your poms to use a different (private) repository, but I've never set one up myself. Doesn't seem too hard, other than managing it to keep all the needed artifacts available.

Resources