Maybe related? https://github.com/jitpack/jitpack.io/issues/3779
HTH Tamas On Mon, Jun 20, 2022, 20:38 Pawel Veselov <pawel.vese...@gmail.com> wrote: > TL;DR: > > Is there a way, and what is the correct one if there is, to prevent a > package being downloaded from a particular repository (or lock it to > being downloaded from a particular one, though I thought the answer to > that one is "no")? > > LR: > > Maven 3.8.6, JDK 1.8. > > I've run into this strange problem with > com.github.jsonld-java:jsonld-java:0.13.4 > The package includes fine as a dependency if it is downloaded from > Maven Central: > pom.xml: https://pastebin.com/qev5Udp2 > Build output: https://pastebin.com/MzUVqWLt (pending moderation, LMK > if you want me to attach that) > > The package fails to download as a dependency if it is downloaded from > JitPack: > pom.xml: https://pastebin.com/7L2rEWPz > Build output: https://pastebin.com/U3StAtMZ > > AFAIU, there are two things that are "wrong" in this entire thing: > a) Developer declared packaging as "bundle" (I'm not entirely sure > that's wrong, but I don't see a reason for them to have done so, and > it seems to be a contributing factor) > b) JitPack/somebody republished the dependency as a virtual package > that depends on itself, and broke this entirely. > > But what I don't understand is why the Maven's behavior is different > in these two cases. > > NOT WORKING CASE: The package is found on JitPack, Maven is asked to > get com.github.jsonld-java:jsonld-java:0.13.4 of type "bundle" by an > explicit dependency statement. There is no such downloadable binary, > so the entire process fails. > > WORKING CASE: The package is found on Central, Maven is asked to get > com.github.jsonld-java:jsonld-java:0.13.4, without packaging > specification. The packaging specification in the POM is "bundle". But > Maven is satisfied with just downloading the JAR > > Few questions: > - How come Maven is OK creating/uploading a package with "bundle" > packaging, but without a "bundle" file? > - How does Maven decide to download the .jar when the packaging says > "bundle" in the POM, and is satisfied with that? > - Is there a way to find out who published a package on JitPack, to > get them to fix it? The developer didn't do that, that was done > without their consent and/or them being made aware of it > > Thank you. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
