✨ feat: Add resolved field#1148
Conversation
|
Will solve #1149 first. |
|
TODOs:
|
|
This PR is now ready for review, became quite a lot of lines changed as all integration tests had to be updated with the new resolved field. |
algomaster99
left a comment
There was a problem hiding this comment.
Overwhelming PR but great job. I have some comments on the implementation and some changes.
| public class DeprecationUtils { | ||
| public static String ChecksumModeDeprecation(String checksumMode, Log logger) { | ||
| if (checksumMode.equals("maven_local")) { | ||
| if (logger != null) { | ||
| logger.warn("Option 'checksumMode=maven_local' is deprecated. Use 'checksumMode=local' instead."); | ||
| } | ||
| return "local"; | ||
| } | ||
| if (checksumMode.equals("maven_central")) { | ||
| if (logger != null) { | ||
| logger.warn("Option 'checksumMode=maven_central' is deprecated. Use 'checksumMode=remote' instead."); | ||
| } | ||
| return "remote"; | ||
| } | ||
|
|
||
| return checksumMode; | ||
| } |
There was a problem hiding this comment.
Why do we need this wrapper? Does't the logging library support @Deprecated annotation?
There was a problem hiding this comment.
Would @deprecated be used to generate the warning message for the log? Or to mark the option?
We can deprecate a parameter, which in this case would be checksumMode. But it is not the parameter which is deprecated but the options for it.
Looking at it I don't think it is needed to separate this into its own thing. I wanted to make sure the upgrade from older versions of lockfiles were smooth but since the config is generated from Gson it doesn't seem to go through the Config constructor and could therefore not be automatically updated, will revert.
There was a problem hiding this comment.
(P.s. sorry @ deprecated, not ment to mention you)
There was a problem hiding this comment.
generate the warning message for the log? Or to mark the option?
Ideally, there should be a warning message at runtime also but I am not sure if @Deprecated provides that - it is only a compiler warning. I assumed the logging libraries would also support it and can log the usage of deprecated components.
| Path remoteRepositoriesPath = artifactFolderPath.resolve("_remote.repositories"); | ||
| List<String> locallySavedRemoteRepositories = Files.readAllLines(remoteRepositoriesPath); |
There was a problem hiding this comment.
I feel that since we depend upon maven resolver, we should have the URL information readily available. We have access to org.apache.maven.artifact.Artifact which has an API getDownloadUrl and I expected it to returned the "resolved URL" but somehow it returns null.
Steps I tried:
mvn clean install -DskipTests
mvnDebug io.github.chains-project:maven-lockfile:5.4.3-SNAPSHOT:generate # on any maven project with plugins and dependenciesproject.getPluginArtifactMap().get("org.cyclonedx:cyclonedx-maven-plugin").getDownloadUrl() // returns nullI also tried deleting
org.cyclonedx:cyclonedx-maven-pluginartifact from my.m2folder butdownloadUrlis stillnull. Probably a bug in maven?
I am up for implementation using _remote.repositories file, but like you mentioned that day this file is internal to maven. I would prefer an implementation where artifact comes with the URL it was downloaded using.
There was a problem hiding this comment.
Fully agree an implementation using public APIs is preferable!
I also tried a bunch to get the value out of the getDownloadUrl as well, when I was speaking about not finding it in the open API.
My best guess for why it is null is that maven resolves and downloads the dependency prior to plugins running and that we would need to create a maven core extension to access this information. However, we would not want to be forced to redownload all dependencies to capture their resolved url so we would still need to read this file or access other internals of maven resolver.
Maybe we could send a mail to a mailing list and ask if someone knows how to access the download url with a public API from a plugin? Apache dev?
There was a problem hiding this comment.
the dependency prior to plugins running and that we would need to create a maven core extension to access this information.
I think the URL for dependencies was also null.
Maybe we could send a mail to a mailing list and ask if someone knows how to access the download url with a public API from a plugin? Apache dev?
Do ask them 👍 Maven Developer's List seems okay.
|
It seems to have a lot of already merged commits. Could you rebase this branch with |
…in to v3.4.1 (#1103) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: LogFlames <36220731+LogFlames@users.noreply.github.com>
RemoteChecksumCalculator is still left to update.
|
Ill try a rebase, hopefully it'll go well ^^ Long history 😅 |
b9ca86c to
c2542e4
Compare
|
Try converting the above class into |
|
We merge after updating README. |
…ded-artifact-to-the-lockfile
Ensure consistency between RemoteChecksumCalculator and FileChecksumCalculator. See comment in #1149.
|
@algomaster99 @massimeddu-sj note changes in RemoteChecksumCalculator to ensure consistency between RemoteChecksumCalcuclator and FileSystemChecksumCalculator when a checksum cannot be found. |
See #995.