On Mon, Jun 20, 2022 at 9:03 PM Tamás Cservenák <ta...@cservenak.net> wrote: > > Maybe related? > https://github.com/jitpack/jitpack.io/issues/3779
Definitely. But that means that: * nothing has been done about this in 3 years, not even an acknowledgement from JitPack * there isn't a clear workaround. I'm considering uploading any dependencies I do need from JitPack directly into my own Artifactory as a workaround, but that's crazy and not long term maintainable. > > HTH > Tamas > > On Mon, Jun 20, 2022, 20:38 Pawel Veselov <pawel.vese...@gmail.com> wrote: > > > TL;DR: > > > > Is there a way, and what is the correct one if there is, to prevent a > > package being downloaded from a particular repository (or lock it to > > being downloaded from a particular one, though I thought the answer to > > that one is "no")? > > > > LR: > > > > Maven 3.8.6, JDK 1.8. > > > > I've run into this strange problem with > > com.github.jsonld-java:jsonld-java:0.13.4 > > The package includes fine as a dependency if it is downloaded from > > Maven Central: > > pom.xml: https://pastebin.com/qev5Udp2 > > Build output: https://pastebin.com/MzUVqWLt (pending moderation, LMK > > if you want me to attach that) > > > > The package fails to download as a dependency if it is downloaded from > > JitPack: > > pom.xml: https://pastebin.com/7L2rEWPz > > Build output: https://pastebin.com/U3StAtMZ > > > > AFAIU, there are two things that are "wrong" in this entire thing: > > a) Developer declared packaging as "bundle" (I'm not entirely sure > > that's wrong, but I don't see a reason for them to have done so, and > > it seems to be a contributing factor) > > b) JitPack/somebody republished the dependency as a virtual package > > that depends on itself, and broke this entirely. > > > > But what I don't understand is why the Maven's behavior is different > > in these two cases. > > > > NOT WORKING CASE: The package is found on JitPack, Maven is asked to > > get com.github.jsonld-java:jsonld-java:0.13.4 of type "bundle" by an > > explicit dependency statement. There is no such downloadable binary, > > so the entire process fails. > > > > WORKING CASE: The package is found on Central, Maven is asked to get > > com.github.jsonld-java:jsonld-java:0.13.4, without packaging > > specification. The packaging specification in the POM is "bundle". But > > Maven is satisfied with just downloading the JAR > > > > Few questions: > > - How come Maven is OK creating/uploading a package with "bundle" > > packaging, but without a "bundle" file? > > - How does Maven decide to download the .jar when the packaging says > > "bundle" in the POM, and is satisfied with that? > > - Is there a way to find out who published a package on JitPack, to > > get them to fix it? The developer didn't do that, that was done > > without their consent and/or them being made aware of it --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
