Bug#994876: maven: New upstream version 3.8.2 available

Hans Joachim Desserud debian at desserud.org
Mon Apr 11 12:55:52 BST 2022 

I looked at the latest maven version (3.8.5 at the time of this writing) 
to see how much work it would require and any blockers I might run into. 
I found the following:

1. I started with unpacking maven 3.8.5, moving over the debian package, 
adding new version number in changelog and running a build.
2. This seemed to work fine, no mismatching patches or other issues.
3. My first problem was that maven now has a dependency on maven-parent 
35, while Debian only has 31 
(https://tracker.debian.org/pkg/maven-parent). This seemed easy to fix, 
with uscan and an update I had a locally built maven-parent 35.
4. The next issue I ran into was the following build error:
[INFO] --------------< org.apache.maven:maven-settings-builder 
 >---------------
[INFO] Building Maven Settings Builder 3.8.5                             
[8/14]
[INFO] --------------------------------[ jar 
]---------------------------------
[WARNING] The POM for 
org.codehaus.plexus:plexus-sec-dispatcher:jar:debian is missing, no 
dependency information available
[INFO] 
------------------------------------------------------------------------
[INFO] Reactor Summary for Apache Maven 3.8.5:
[INFO]
[INFO] Apache Maven ....................................... SUCCESS [  
0.047 s]
[INFO] Maven Model ........................................ SUCCESS [  
2.791 s]
[INFO] Maven Artifact ..................................... SUCCESS [  
0.509 s]
[INFO] Maven Plugin API ................................... SUCCESS [  
0.406 s]
[INFO] Maven Builder Support .............................. SUCCESS [  
0.178 s]
[INFO] Maven Model Builder ................................ SUCCESS [  
1.290 s]
[INFO] Maven Settings ..................................... SUCCESS [  
0.268 s]
[INFO] Maven Settings Builder ............................. FAILURE [  
0.010 s]
[INFO] Maven Repository Metadata Model .................... SKIPPED
[INFO] Maven Artifact Resolver Provider ................... SKIPPED
[INFO] Maven Core ......................................... SKIPPED
[INFO] Maven SLF4J Simple Provider ........................ SKIPPED
[INFO] Maven Embedder ..................................... SKIPPED
[INFO] Maven Compat ....................................... SKIPPED
[INFO] 
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] 
------------------------------------------------------------------------
[INFO] Total time:  5.785 s
[INFO] Finished at: 2022-04-11T10:30:23+02:00
[INFO] 
------------------------------------------------------------------------
[ERROR] Failed to execute goal on project maven-settings-builder: Could 
not resolve dependencies for project 
org.apache.maven:maven-settings-builder:jar:3.8.5: Cannot access central 
(https://repo.maven.apache.org/maven2) in offline mode and the artifact 
org.codehaus.plexus:plexus-sec-dispatcher:jar:debian has not been 
downloaded from it before. -> [Help 1]
[ERROR]

This puzzled me, since libplexus-sec-dispatcher-java was already listed 
as a dependency and also installed. From what I can see, maven now 
requires plexus-sec-dispatcher 2.0 which also seems to have changed 
groupId (https://search.maven.org/search?q=plexus-sec-dispatcher). It 
now resides under org.codehaus.plexus, but the Debian package based on 
the older version and groupId is placed elsewhere in maven-repo 
https://search.maven.org/search?q=plexus-sec-dispatcher

So it looks like:
maven-parent needs an update to newer version.
plexus-sec-dispatcher needs an update to newer version and groupId.
More steps???
Upgraded maven

Since I didn't get a successful build, I don't know whether there might 
be other blockers or what happens when one does a test rebuild of other 
packages using maven, but I suppose that's for future testing.

I don't know how to proceed with plexus-sec-dispatcher, whether it 
should be updated to 2.0 (or packaged in parallell for those requiring 
the older version still). Hopefully this information will be helpful in 
the next steps for an upgrade.

-- 
mvh / best regards
Hans Joachim Desserud
http://desserud.org

More information about the pkg-java-maintainers mailing list