Upload newer version of strangers project to central maven repo - maven

JBox2d is at version 2.3.1-SNAPSHOT ..
https://github.com/jbox2d/jbox2d/blob/master/jbox2d-library/pom.xml
However the latest version of the library at Maven repository is 2.2.1.1 ..
http://mvnrepository.com/artifact/org.jbox2d/jbox2d-library
Is there a way that I can upload this newer version of JBox2d to the central repo for everyone's use?

In short, no. Without the current maintainer's permission you can't upload a new artifact with the same groupId/artifactId. To quote from the Guide to uploading artifacts to the Central Repository FAQ:
I have a patched version of the foo project developed at foo.com, what groupId should I use?
When you patch / modify a third party project, that patched version becomes your project and therefore should be distributed under a groupId you control as any project you would have developed, never under com.foo. See above considerations about groupId.
Either pick a new groupId, for what is effectively your fork of the project, or collaborate with the current maintainers to get the newer version into Central with their permission.

Related

Maven Central vs Other Repos?

On the maven centrral, I can see several other Repositories available for some of the libraries. For example - Apache Common BeanUtils is available in Central, Redhat GA, JBoss 3rd-party etc. The library name changes as well. For example, Maven CCentral has versions like 1.9.4, however Redhat GA has versions like - 1.9.3.redhat-1.
Click on this URI to see the details.
https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils
My question is - What is the difference between Repo marked as Central and "Redhat GA"?
Attaching an image of :Maven GA; repo as well here.
Re:
My question is - What is the difference between Repo marked as Central and "Redhat GA"?
From here: https://access.redhat.com/maven-repository
"Redhat GA" is the general availability JBoss Enterprise Maven Repository.
And the page also mentions:
Artifacts in the repository do not receive automated security patches as Maven requires that artifacts be immutable. As a result, artifacts that are missing patches for known security flaws will remain in the repository to avoid breaking builds that depend on them. Patched artifacts have their version number incremented.
If you checkout the README at the repository: https://maven.repository.redhat.com/ga/README.md
This archive contains Maven repository artifacts for JBoss WFK 2. This is meant
to be used as additional Maven repository in development environment with
JBoss EAP 6 Maven repository.
So it seems Redhat GA versions are patched versions of Maven Central artifacts, specifically to support JBoss WFK.
My guess is that the patches correct security flaws in the base Maven Central artifact.
Re:
For example, Maven CCentral has versions like 1.9.4, however Redhat GA has versions like - 1.9.3.redhat-1.
For this example, my guess is that 1.9.3.redhat-1 is a security patched version of 1.9.3 from Maven Central.
Re: (comment above)
how safe is to use version of a library from other Repos (for example-Redhat in this case) than Central? Or what are the scenarios when an Enterprise application should use a library from other Repos than Maven Central?
If you need a security-hardened version of a specific Maven Central version, but you can't upgrade to a later version from Maven Central (for any reason: risk, incompatibilities, one does not exist, etc) - the Red Hat version might be a solution.
As to whether it's safe, it's up to whether you trust RedHat vs Maven vs any other organization providing open source.

Is it possible to use revapi maven plugin to do check against a SNAPSHOT version?

I'm currently setting up revapi-maven-plugin for a project, using latest version (0.7.0), and we want to check on our jenkins that no regression appears in our API during development.
Then for my process I don't want to check the regression between a snapshot and a release but between two snapshots.
Unfortunately (?) we use a different repository for our snapshots and our releases, and apparently revapi-maven-plugin seems not able to get the latest snapshot version from the snapshot repo.
Or is it and I did not understand how to do that?
I already put those value in my configuration but it does not change anything:
<alwaysCheckForReleaseVersion>false</alwaysCheckForReleaseVersion>
<oldVersion>LATEST</oldVersion>
This is supported since the version 0.8.0 of the revapi-maven-plugin.
The documentation of the oldVersion property reads (https://revapi.org/modules/revapi-maven-plugin/check-mojo.html#oldVersion):
If you don't want to compare a different artifact than the one being built, specifying just the old version is simpler way of specifying the old artifact. The default value is "RELEASE" meaning that the old version is the last released version of the artifact being built (either remote or found locally (to account for artifacts installed into the local repo that are not available in some public remote repository)). The version of the compared artifact will be strictly older than the version of the new artifact. If you specify "LATEST", the old version will be resolved to the newest version available remotely, including snapshots (if found in one of the repositories active in the build). The version of the compared artifact will be either older or equal to the version of the new artifact in this case to account for comparing a locally built snapshot against the latest published snapshot.

How can I show the latest artefact version on bitbucket ReadME?

I have a private repository hosted on bitbucket. Every time I release the latest version of the artefact to Nexus, I have to update the Read me which seems very repetitive.
Is there any way/plugin which can publish the latest version of the artefact directly to my repository's overview page (ReadME.md)?
I am using Maven 3+ for building the artefact using Jenkins which publishes all artefacts to Sonatype Nexus.
You can likely use something akin to this to add the file, likely the attach additional resources example: http://www.mojohaus.org/build-helper-maven-plugin/usage.html

How to download artifacts from github using maven?

An old legacy project in my team is being salvaged for any usable part, one of its dependency is play-json_2.10 with a version number 2.2. However since its too old, its missing from all the major repository, including typesafe and sonatype central. The only place i can find it is on github:
https://github.com/mandubian/play-json-alone
I could download it and manually save it to a local maven repo but my team mate won't be able to see it after checking out my commit. Is there a way to make maven downloading from github and put source code somewhere? Thanks a lot.

How to properly fork a maven project?

I'm trying to fork a discontinued maven library that is already in the main repository.
What are good guidelines to follow when doing so?
Should the groupId/artifactId be changed so that it doesn't clash with the library that's already in the maven repository?
This library will be a dependency to a project that will also be available publicly(in the maven repo) so this library should also be there.
The modifications add improvements and some changes on how the library works, so I would like it to be separate from the old versions.
Sonatype recommends you change the groupId when you fork a project.
B2) upload them under your the forked project
groupId (presumably one you own and appropriate for the fork)
I assume you are forking the other project for internal use? Then I would keep the original groupId/artifactId but add a postfix to the version. If the upstream version is 1.0.0 your custom version would be 1.0.0-custom.
If you create a public fork then you basically have to use a new project name and so a new groupId/artifactId.

Resources