I am using Nexus and have configured maven-proxy and maven-hosted repositories, added them to a group repo and using that repo through settings.xml. Now when a new dependency is added in pom, maven-proxy goes to maven central and downloads it. However, I do not want this.
My goal is to stop replying on Maven central completely, but I know it won't work until my hosted repository contains everything that maven needs.
Issue is that Maven plugins like compiler, clean, jar etc. downloads tons of dependencies on its own. If I remove connection to maven proxy, how do I get all that list and then how do I make sure that I put whatever is needed in my hosted repository ?
Should I even try to put such artifacts in my hosted repo ? Is there any other better approach ?
You cannot really do that manually, the number of artifacts is way too large.
You can let Maven download all needed artifacts, then copy that from a remote to a hosted repository and work with that (until you need something new).
But it is still painful. I would not do that.
If your concern is security, I would use an open source security scanner instead of blocking internet access altogether.
Related
I am setting up a local repository using Apache Archiva. After setting up now I need to copy the libraries that got downloaded into my local maven repository into archiva. Currently I am manually copying it but it is very tedious process and I am planning to automate it using some scripts. Is there any better approach to do this?
I'm trying to write a plugin for this here which is able to copy jars and poms for all dependencies in all Configurations (including transitive dependencies). You might be interested in this code
Note: I've got a failing test here because I can't currently get the parent pom xml via the Gradle API's. I raised a feature request in Gradle here
There's a suggestion on the issue to use the IvyPot plugin... I haven't tried this myself but might be worth a shot.
For Example you are using this library and sometimes later this library no longer exist in maven so what happens to your project?
Can we be able to continue developing that project using this kind of remote library? or we need to replace codes that uses this library?
dependencies {
compile 'com.github.chrisbanes.actionbarpulltorefresh:library:+'
}
If you are talking about a dependency like the above which is in Maven Central the dependency will never be deleted in Maven Central, cause you can't delete artifacts in Maven Central.
If the depenedency is comming from somewhere else you might better duplicate the code into your internal system or the best solution would be to use a repository manager which contains every artifact which you ever used and you can backup this system without the need of Maven Central. Thinking of breaking network connections or something similar.
I guess the easiest would be to simply clone this library:
git clone https://github.com/chrisbanes/Android-PullToRefresh.git
and push it to your github account Pushing from local repository to GitHub hosted remote
I am working in a private network which doesn't have internet proxy.
I can not create a local repository as well which involves the bureaucracy, management won't allow it. I may be a long term fix but not the solution for the question I asked.
I can not keep maven as a build tool as it requires the direct or indirect internet connection.
I HAVE to use ANT for building the project hence using maven in offline mode also not an option for me.
But I still want to use the maven dependency management for collecting all the jars in a one archive smartly.
My plan is to generate a ZIP file containing dependencies resolved using maven. And then we will share this ZIP file to all developers working inside a private network which doesn't have internet connection.
To do so I will get a temporary access to a computer which is having internet connection and from there I will define a dummy POM with all the dependencies required.
Now the question is how do I generate a ZIP file ( not a single jar ) using maven which contains all the dependencies defined in POM.
while what youre suggesting is technically possible, it is (in my opinion) not the best solution to your problem.
your statement that
it requires the direct or indirect internet connection
is not accurate. what maven requires is a maven repository (or a set of them) to fetch stuff from. the best solution to your problem would be to install a local maven repository inside your organization's network. the 2 most popular choices for a loaclly-run maven repository seem to be nexus and artifactory - both offer free open source versions and paid supported pro versions.
once you set up a maven repository inside your organization's network and populate it with the artifacts you require you can simply configure all of your project's pom files to go to those repositories. for example, to configure maven to use your repo instead of maven central, you can do this:
<repositories>
<!-- override central -->
<repository>
<id>central</id>
<url>http://your.repo.location</url>
</repository>
</repositories>
you will need to map a plugin repository in a similar fashion.
its also possible to achieve this by configuring the maven settings.xml file in each user's home directory if you dont want this in the pom files but from my experience its less error-prone this way
use following command to build Maven project offline.
mvn -o package
Refer this and this for more information.
I ended up with a smart hack which lets me do dependency resolution and archiving!
I am creating a dummy maven web project with all the dependencies defined in pom xml.
Now the war packaging mode is used by default for web applications.
I simply install the maven project from internet facing machine.
I get all the dependencies and transitive dependencies in war file's "lib" directory with dependency naming version remaining unchanged !!!!
Copying and adding those files into an ANT project is a trivial task then..!
I have a small Java project in a version control system (git), shared by 4 developers. I'm thinking about using Maven in this project as a build tool.
Dependency management is a wanted feature, but I don't want:
- automatic updates of dependencies (as this could break my software).
- to rely on an Internet connection to download dependencies from a remote repository and be able to compile my code.
Therefore, the questions:
1) May I configure Maven to use local dependencies (eg jars shared in a VCS)? I don't have several dependencies shared among several projects and my dependencies rarely will be updated, so using Maven repositories is not worth it to me imho.
2) If I choose to use a Maven repository, may I configure one in my local network? I don't want a remote repository mirror or a portal to the remote repository. I want a standalone repository with my dependencies, located at a server in my local network.
3) If I use the default Maven approach with the remote repository, could I turn off dependency updates after all dependencies are downloaded the first time?
Thanks in advance for any help.
Answer to 1:
Yes you can, google for System-Scope dependencies, BUT: It is not a good idea to do this, because you will remove one of the key-features.
<dependency>
<groupId>com.mycompany</groupId>
<artifactId>app-lib</artifactId>
<version>3.1.0</version>
<scope>system</scope>
<systemPath>${project.basedir}/libs/app-lib-3.1.0.jar</systemPath>
</dependency>
Answer to 2:
Yes you can:
- Artifactory
- Nexus
Answer to 3:
Yes you can. For that case you can use the ---offline flag OR better approach: release all dependencies.
Some thoughts:
You want to use a dependecy-management system, without using dependency-management, sounds strange to mee.
If you fear, that changes within your libs may break your code, just don't use SNAPSHOTs.
Try a kind of version scheme. We use
x.y.z
if z changes in a release, the jar should be compatible.
if y changes, you'll have to change youz code
if x changes... well everthing needs to be renewed.
Your concern about being dependent on Internet connectivity is a valid one, but I don't think it's as bad as you think.
After a dependency is downloaded from the Central Repository, it is saved to a cache on your hard drive (located at "~/.m2/repository"). From then on, the copy in the cache is used and Internet connectivity is no longer required to compile your application.
When you compile your first project in Maven, it will have to download a crap-load of stuff. But after that, all subsequent compilations will go much faster and they won't need to download anything.
Also, Maven's versioning scheme makes it so that all "release" versions of a dependency cannot change once they are deployed to the Central repository. For example, if I'm using version "2.2" of "commons-io", I know that this version of the library will always stay the same. A change cannot be made without releasing a new version.
"Snapshot" versions, however, can change. If a library's version is a snapshot, then it will end in "-SNAPSHOT" (for example, "1.2-SNAPSHOT" means the library will eventually be released as "1.2"). I don't think the Central repository allows snapshot builds though. You shouldn't use them in production code anyway.
I thought that Internet connectivity was only needed in the 1st compile, but I get several download msgs whenever I change code. Msgs like these:
Downloading: http://repo.maven.apache.org/maven2/org/eclipse/core/resources/maven-metadata.xml
Downloading: http://repository.springsource.com/maven/bundles/external/org/eclipse/core/resources/maven-metadata.xml
Downloading: http://repository.springsource.com/maven/bundles/release/org/eclipse/core/resources/maven-metadata.xml
Downloading: https://oss.sonatype.org/content/repositories/snapshots/org/eclipse/core/resources/maven-metadata.xml
Why is that? Is Maven looking for updates in these repositories or is there another reason to download these metadata xmls often?
I am using M2Eclipse (0.10.0, Maven 3)in projects. I can add Maven dependency using m2eclipse. But dependency jars couldn't be downloaded. Instead, it created a file in each local repo folder named [JAR_Name].jar.lastupdate. The content of this file is some thing like :
http://[REPO_URL]/central/=1276221188566
Even using Maven 3 command line. Jars couldn't be downloaded. Any idea about how could this happen?
First off, the presence of "lastupdated" file is irrelevant. We need to know the debug output (mvn -X dependency:tree). Then you mentioned you were using repository manager and mirroring every request to it - so setup settings.xml according to this guide . If you just specified the mirror element with repository manager location and what repositories (URLs) you want to proxy ,(without that profile enabled which is practically changing policy for getting snapshots), you would have something like "central repository disabled" messages in your debug log. After you fix it, it should work.
EDIT: You can always use the URL of group repository from maven settings.xml http://hostname/nexus/content/groups/public + path to the artifact like "org/apache/maven/someartifact/maven-metadata.xml" and see if nexus can proxy the request and serve what you want. If this works, then the reason must be either in maven settings or pom definition.
I have the same problem. Don't know a 'real' solution, but whenever something isn't working I do a scan for .lastUpdated files in my local repo and delete them. Then things usually work again. (I think that might be due to a badly configured nexus, but unfortunately I don't have access to the nexus config)