Bug#1037064: maven-verifier depends on downloading sources at build time

Steve Langasek steve.langasek at canonical.com
Sat Jun 3 05:40:10 BST 2023 

Source: maven-verifier
Version: 1.8.0-1
Severity: serious
Justification: package in main has dependency on external software
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu mantic

Dear maintainers,

maven-verifier 1.8.0-1 has been failing to build in Ubuntu, because its
build-time tests depend on downloading software from the Internet:

[...]
[ERROR] testWithMavenHome(org.apache.maven.it.Embedded3xLauncherTest)  Time elapsed: 0.581 s  <<< FAILURE!
java.lang.AssertionError: 
exit code unexpected, build log: 
[INFO] Scanning for projects...
Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-components/18/maven-shared-components-18.pom
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[FATAL] Non-resolvable parent POM for org.apache.maven.shared:maven-verifier:1.4-SNAPSHOT: Could not transfer artifact org.apache.maven.shared:maven-shared-components:pom:18 from/to central (https://repo.maven.apache.org/maven2): transfer failed for https://repo.maven.apache.org/maven2/org/apache/maven/shared/maven-shared-components/18/maven-shared-components-18.pom and 'parent.relativePath' points at wrong local POM @ line 23, column 11
 @ 
[...]

  (https://launchpad.net/ubuntu/+source/maven-verifier/1.8.0-1/+build/26010073)

This fails because Launchpad does not allow network access during package
builds, unlike Debian buildds which usually have network access.

While this is not a build failure, it does mean building the package has a
dependency on software outside of main, which I believe is a serious policy
violation.

libmaven-parent-java ships maven-shared-components-35.pom and maven-verifier
build-depends on libmaven-parent-java.  So perhaps src/test/resources/pom.xml
simply needs updated to point at the current version instead of version 18?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20230602/0e59fe61/attachment.sig>

More information about the pkg-java-maintainers mailing list