Closed nuthub closed 1 year ago
wrong patch
Hi, I tried this solution but it doesn't work. Could it be possible that the problem is in some internal library or dependency in the POM?
Hi,
One of the errors was this:
r repositories: [eis-public-repo (http://maven.iais.fraunhofer.de/artifactory/eis-ids-public, default, disabled), eis-snapshot-repo (http://maven.iais.fraunhofer.de/artifactory/eis-ids-snapshot, default, releases+snapshots), eis-ids-public (http://maven.iais.fraunhofer.de/artifactory/eis-ids-public, default, releases+snapshots)]
I opened the repository: https://maven.iais.fraunhofer.de/ui/native/eis-ids-public/de/fraunhofer/iais/eis/ids/infomodel/validation-serialization-provider/4.2.7-SNAPSHOT/
We can see this POM is pointing to the old URL:
I think this problem can ocur in all the components that are using the old URL.
I guess the best solution would be to have a redirect from HTTP -> HTTPS in place at maven.iais.fraunhofer.de, right?
I don't know if a redirection will work. The problem is related with this issue:
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
The solution they give is to change the source or add a mirror in the POM settings:
I guess a redirect won't work because the blocking happens when Maven parses the URL.
ok, the problem therefore does not exist with Maven versions below 3.8.1, right? I got a successful build with Maven 3.6.3 on a VM that allowed me to install that rather old maven version. Of course one idea of using docker and the like is the idea to specify a particular version a software depends on to have some kind of reproducible builds. The problem with the Dockerfile in this case is that it does not specify a specific version of Maven to build the DataspaceConnector. (Another problem is of course that the software depends on artifacts that depend on artifacts that can't be found on the official Maven repository and therefore additionally depends on the availability of the additional maven repositories like the one of Fraunhofer IAIS).
One way to avoid modification of more dependencies (considered as 3rd party dependencies), which may not be possible in each case and may have additional side effects, is to explicitly specify a maven version in the Dockerfile. This is what I have done here:
It worked for me too. I think this may be a temporary solution, but if the servers have changed to https, the urls need to be changed as well.
http://maven.iais.fraunhofer.de/ui/native/eis-ids-public isn't accessible anymore, but https://maven.iais.fraunhofer.de/ui/native/eis-ids-public is accessible
addresses #678