ehcache 3.10.0 dependency download issue on Maven

[Andre Eickler]

Hi there,

a minor potential inconvenience when upgrading from 3.9.9 to 3.10.0: In our build, dependencies are downloaded with dependency:go-offline by the CircleCI Maven ORB. "mvn dependency:go-offline" works fine for 3.9.9, but on 3.10.0, it's producing

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.3.0:go-offline (default-cli) on project jpa-repository: org.eclipse.aether.resolution.DependencyResolutionException: Failed to collect dependencies at org.ehcache:ehcache:jar:3.10.0 -> org.glassfish.jaxb:jaxb-runtime:jar:2.3.0-b170127.1453 -> org.glassfish.jaxb:jaxb-core:jar:2.3.0-b170127.1453 -> javax.xml.bind:jaxb-api:jar:2.3.0-b161121.1438: Failed to read artifact descriptor for javax.xml.bind:jaxb-api:jar:2.3.0-b161121.1438: Could not transfer artifact javax.xml.bind:jaxb-api:pom:2.3.0-b161121.1438 from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [releases.java.net (http://maven.java.net/content/repositories/releases/, default, releases+snapshots), shapshots.java.net (http://maven.java.net/content/repositories/snapshots/, default, releases+snapshots), jvnet-nexus-staging (http://maven.java.net/content/repositories/staging/, default, releases+snapshots), netbeans (http://bits.netbeans.org/nexus/content/groups/netbeans, default, releases)] -> [Help 1] 

Just thought I'd report this ... let me know if anyone wants more information.

Cheers,
André

[Chris Dennis]

Welcome to the wonders of Maven.

 

Ehcache needs JAXB for XML configuration parsing. Ehcache 3.10.0 moves to expressing this as a runtime dependency on a version range of the JAXB RI: ‘org.glassfish.jaxb:jaxb-runtime:[2.2,3)’. We do this because JAXB is often shared infrastructure, and we don’t really care which version you use. The fun begins when Maven attempts to resolve this dependency:

 

Maven in its infinite wisdom decides that to pick a version here it needs to resolve POMs for the entirety of the known universe. This includes the transitive dependency chain of every version in range. Unfortunately, the parent pom of some (many) of those versions includes references to unsecured http maven repositories: https://repo1.maven.org/maven2/com/sun/xml/bind/mvn/jaxb-parent/2.3.0-b170127.1453/jaxb-parent-2.3.0-b170127.1453.pom Maven in its infinite wisdom then adds those repositories to the set of repositories used to resolve dependencies against in the running build. I’ve no idea if this is scope controlled or not… but if I had to guess, I’d go with no. See: https://issues.apache.org/jira/browse/MNG-3056

 

If you add the necessary goo to unblock those repositories (easiest way is to setup mirrors for those unsecured repos – which helpfully are keyed against id and not matched by url?!), then Maven will eventually resolve 3.0.0-M5, which to any sane person is outside the ‘[2.2,3)’ range. To the Maven team, who eschew reality, and apparently the concept of semantic versioning – this is totally obvious, and not at all broken.

 

There are 3 ways to fix this:

1. Exclude the jaxb-runtime dependency if you don’t use XML configurations.
2. Pin the jaxb-runtime version to one of your choosing (that falls inside the 2.x line)
3. Switch to Gradle.

 

Personally, I would recommend the third option.

 

Chris

---

talent::digital ist Fellow der Impact Factory

--
You received this message because you are subscribed to the Google Groups "ehcache-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ehcache-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/237049fb-c729-483d-bdbe-595a30928053n%40googlegroups.com.

[Andre Eickler]

Ah, thanks! I guess with better Googling skills I would have also found your previous answer to https://github.com/ehcache/ehcache3/issues/2881 ...  so thanks for being so kind to answer still!

I tried pinning the version but for whatever reason, it still insists on accessing the odd other version. Maybe a bow to Maven's reality would be [2.2,2.999) as dependency.

And yes, we had a discussion about 3) ;-) 

Cheers,

André

You received this message because you are subscribed to a topic in the Google Groups "ehcache-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ehcache-users/U1bO6QArswQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ehcache-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/BLAPR20MB41771F52BBABECAF92E396A6AED49%40BLAPR20MB4177.namprd20.prod.outlook.com.

[Chris Dennis]

If you pin by putting an explicit dependency on the jaxb-runtime I think it ends up trying to resolve the Ehcache dependency first before doing some kind of conflict resolution on the results.

 

Doing it using dependency management seems to work for me:

 

<dependencies>

  <dependency>

    <groupId>org.ehcache</groupId>

    <artifactId>ehcache</artifactId>

    <version>3.10.0</version>

  </dependency>

</dependencies>

 

<dependencyManagement>

  <dependencies>

    <dependency>

      <groupId>org.glassfish.jaxb</groupId>

      <artifactId>jaxb-runtime</artifactId>

      <version>2.3.6</version>

    </dependency>

  </dependencies>

</dependencyManagement>

 

If I use the above and then run ‘mvn dependency:tree’ with no fixes for the http repos I get:

 

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ maven-sample ---

[INFO] org.ehcache.build:maven-sample:jar:1.0-SNAPSHOT

[INFO] \- org.ehcache:ehcache:jar:3.10.0:compile

[INFO]    +- javax.cache:cache-api:jar:1.1.0:compile

[INFO]    +- org.slf4j:slf4j-api:jar:1.7.25:runtime

[INFO]    \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.6:runtime

[INFO]       +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:runtime

[INFO]       +- org.glassfish.jaxb:txw2:jar:2.3.6:runtime

[INFO]       +- com.sun.istack:istack-commons-runtime:jar:3.0.12:runtime

[INFO]       \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime

 

Good Luck!

Error! Filename not specified.

--
You received this message because you are subscribed to the Google Groups "ehcache-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ehcache-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/237049fb-c729-483d-bdbe-595a30928053n%40googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "ehcache-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ehcache-users/U1bO6QArswQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ehcache-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/BLAPR20MB41771F52BBABECAF92E396A6AED49%40BLAPR20MB4177.namprd20.prod.outlook.com.

 

---

talent::digital ist Fellow der Impact Factory

--
You received this message because you are subscribed to the Google Groups "ehcache-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ehcache-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/CAEEVJSpo5fMbHD7m0PaZE%3Dw5fu3YaFBXZOrS_rxj%3DR4RYWJ60w%40mail.gmail.com.

[Andre Eickler]

Thank you! 

Sorry for being unclear! The pinning works and 2.3.6 is correctly reported as the only version in dependency:tree. 

However, the dependency:go-offline used by CircleCI caching breaks. With 3.10.0, Maven downloads for whatever reason 22 versions of jaxb-runtime and then breaks (even though only one appears in the tree). With 3.9.9, it's only (!) four versions. I don't have the slightest.

Of course, if you have a hint, I appreciate it, but please let me not waste your time with this issue. It's maybe not the most important :-)

Cheers,

André

To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/BLAPR20MB41778D5F24835267DCF6B63CAED79%40BLAPR20MB4177.namprd20.prod.outlook.com.

[Chris Dennis]

Okay, a quick test shows that my noddy Maven project works okay with `go-offline` too. Not sure if that’s a CircleCI thing or something more complex about your POM. If you can give me a reproducible test case I can take a look. Long term I want to get some sample maven projects into the main Ehcache build to validate that maven usage works okay, it may be that aspects of your scenario might be worth weaving in to one or more of these samples.

To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/CAEEVJSpo5fMbHD7m0PaZE%3Dw5fu3YaFBXZOrS_rxj%3DR4RYWJ60w%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "ehcache-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ehcache-users/U1bO6QArswQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ehcache-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/BLAPR20MB41778D5F24835267DCF6B63CAED79%40BLAPR20MB4177.namprd20.prod.outlook.com.

 

---

talent::digital ist Fellow der Impact Factory

--

You received this message because you are subscribed to the Google Groups "ehcache-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ehcache-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/CAEEVJSo2NHy62wXQYXBjX9go_on00CD-w4bBXPdK4g_JmcFJYw%40mail.gmail.com.

[Andre Eickler]

Reducing the poms is a good idea. Maybe I am doing something stupid, but a pom.xml with just ehcache as dependency, an empty ~/.m2/repository and no settings.xml will reproduce this. 

So

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>eu.talentdigital.platform</groupId>
    <artifactId>jpa-repository</artifactId>
    <version>0.0.1-SNAPSHOT</version>

    <dependencies>
        <dependency>
            <groupId>org.ehcache</groupId>
            <artifactId>ehcache</artifactId>
            <version>3.10.0</version>
        </dependency>
    </dependencies>

</project>

Then

mvn dependency:go-offline

produces

[ERROR] Failed to execute goal on project jpa-repository: Could not resolve dependencies for project eu.talentdigital.platform:jpa-repository:jar:0.0.1-SNAPSHOT: Failed to collect dependencies at org.ehcache:ehcache:jar:3.10.0 -> org.glassfish.jaxb:jaxb-runtime:jar:2.3.0-b170127.1453 -> org.glassfish.jaxb:jaxb-core:jar:2.3.0-b170127.1453 -> javax.xml.bind:jaxb-api:jar:2.3.0-b161121.1438: Failed to read artifact descriptor for javax.xml.bind:jaxb-api:jar:2.3.0-b161121.1438: Could not transfer artifact javax.xml.bind:jaxb-api:pom:2.3.0-b161121.1438 from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [releases.java.net (http://maven.java.net/content/repositories/releases/, default, releases+snapshots), shapshots.java.net (http://maven.java.net/content/repositories/snapshots/, default, releases+snapshots), jvnet-nexus-staging (http://maven.java.net/content/repositories/staging/, default, releases+snapshots), netbeans (http://bits.netbeans.org/nexus/content/groups/netbeans, default, releases)] -> [Help 1]

and my local repository cache has zillions of jaxb-runtime versions downloaded. If I repeat the same with 3.9.9 in the version, it goes through and there's no jaxb-runtime downloaded at all in this case.

Cheers,

André

To view this discussion on the web visit https://groups.google.com/d/msgid/ehcache-users/BLAPR20MB41773C16332996BB80591C7AAED79%40BLAPR20MB4177.namprd20.prod.outlook.com.