Update Maven to 3.8.5 and maven-invoker to 3.1.0

[famod]

See also:

• https://maven.apache.org/docs/3.8.5/release-notes.html
• https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922&version=12351105

Btw, "CI Friendly Versions" are now "pluggable": https://issues.apache.org/jira/browse/MNG-7407
We might need to adapt to this in the long run...

In passing, I also updated maven-invoker which hasn't been touched for years.

[famod]

See apache/maven#649

[aloubyansky]

@famod do you know whether this change is backward compatible? Would this work in Maven 3.6.2. for example?

[famod]

@aloubyansky very good point! I don't think it is. I'll most likely have to resort to reflection (check the precence of ProfileActivationFilePathInterpolator).

Edit: Might just work after all. 🤔 Anyway, I'll check...

[famod]

Interestingly, if I just use Maven 3.8.5 with my Quarkus 2.7.4 based project, the following profile doesn't work anymore:

        <profile>
            <id>image-build</id>
            <properties>
                <quarkus.container-image.name>register</quarkus.container-image.name>
                <quarkus.phase>package</quarkus.phase>
            </properties>
            <dependencies>
                <dependency>
                    <groupId>io.quarkus</groupId>
                    <artifactId>quarkus-container-image-jib</artifactId>
                </dependency>
            </dependencies>
        </profile>

Meaning: mvn -Pimage-build will not build an image via Jib anymore. Need to take a closer look. (cc @geoand just FYI)
Updating to this PR doesn't fix anything, btw.

[geoand]

Wow!

[famod]

If move quarkus-container-image-jib out of the profile (to make it a "default" dependency) the image build works again.

But my qdev profiles adding a special mocks-classified jar are broken as well and there is workaround I can think of.

So dependencies in profiles seem broken in Maven 3.8.5. I'll see what the mailing list has to say...
Edit: https://lists.apache.org/thread/b4gr6nj8q3671gt5nvqs69859nbwv9yf

[michael-o]

Nothing I currently aware of from the top of my head. Since I don't know quarkus, best is to bisect. But honestly, I intentionally leave people more than a week to try out a release before it goes GA. Same happened with previous releases 😭 @cstamas you remember we have talked about. I will cut down the voting period down to three days again.

[famod]

@michael-o Thanks for your feedback!

After some trial and error I had to resort to bisecting and this is the offending commit/change: apache/maven#668 "[3.8.x][MNG-7400] - Allow more WorkspaceReader's to participate"
The problem is that this in Quarkus:

quarkus/independent-projects/bootstrap/maven-resolver/src/main/java/io/quarkus/bootstrap/resolver/maven/MavenArtifactResolver.java

Line 164 in 657ae29

return repoSystem.resolveArtifact(repoSession,

is not getting back the dependency from the profile anymore.

At first glance I don't really see what's "wrong" with that change, but it has been a long day and I cannot say I know that code that well.

@aloubyansky does that make any sense to you?

[michael-o]

@laeubi can you help?

[michael-o]

I am confused why it actually fails because the default behavior did not change...

[famod]

I've just bisected it again, same result.

Test project: q_mvn385.zip

sdk use maven 3.8.5 && mvn -DskipTests package -Dquarkus.container-image.build=true -Pimage will only print:

[INFO] --- quarkus-maven-plugin:2.7.4.Final:build (default) @ code-with-quarkus ---
[INFO] [io.quarkus.deployment.QuarkusAugmentor] Quarkus augmentation completed in 745ms
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

but sdk use maven 3.8.4 && mvn -DskipTests package -Dquarkus.container-image.build=true -Pimage will take much longer and prints:

[INFO] --- quarkus-maven-plugin:2.7.4.Final:build (default) @ code-with-quarkus ---
[INFO] [io.quarkus.container.image.jib.deployment.JibProcessor] Starting (local) container image build for jar using jib.
[WARNING] [io.quarkus.container.image.jib.deployment.JibProcessor] Base image 'registry.access.redhat.com/ubi8/openjdk-11-runtime:1.11' does not use a specific image digest - build may not be reproducible
[INFO] [io.quarkus.container.image.jib.deployment.JibProcessor] Using base image with digest: sha256:fbb5089878df9105272cfa66d088bbf89854a1d71cbf29714f019dcf17cb1363
[INFO] [io.quarkus.container.image.jib.deployment.JibProcessor] Container entrypoint set to [java, -Djava.util.logging.manager=org.jboss.logmanager.LogManager, -jar, quarkus-run.jar]
[INFO] [io.quarkus.container.image.jib.deployment.JibProcessor] Created container image moldowan/code-with-quarkus:1.0.0-SNAPSHOT (sha256:68827fd06d47b8e03a2828417e46b6fb3d68d0b2536f1ddb3520d0b4fed6363a)

[INFO] [io.quarkus.deployment.QuarkusAugmentor] Quarkus augmentation completed in 4628ms
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

(and obviously builds the image, as expected)

PS: You should have docker running.
PPS: At some point I'll probably have to create a MNG issue, but it's all still rather unclear.

[famod]

FTR, I built maven like this when bisecting:

mvn clean package -PversionlessMavenDist -Drat.skip -DskipTests -T4 && unzip apache-maven/target/apache-maven-bin.zip -d apache-maven/target/apache-maven

and then used the result to build the test project:

/home/famod/proj/maven/apache-maven/target/apache-maven/apache-maven/bin/mvn clean package -DskipTests -Dquarkus.container-image.build=true -Pimage

[laeubi]

I'll try to take a look but know nothing about quarkus, I assume that I get errors about missing permissions to access docker is fine an not part of the problem :-)

[laeubi]

But honestly, I intentionally leave people more than a week to try out a release before it goes GA. Same happened with previous releases sob @cstamas you remember we have talked about. I will cut down the voting period down to three days again.

@michael-o I think this is good (one week testing period) we do the same for tycho as well. I know that m2e and tycho have done testing of the release so please keep the longer period :-)

What might help is, that https://maven.apache.org/download.cgi would not only list current + previous releases but an download for "upcomming" (aka SNAPSHOT) so people are getting more aware of there is something to preview/test even before the the release is started.

[michael-o]

Snapshots aren't guaranteed. I virtually never push them. They maybe master or branches. Best is to build from sources.

[laeubi]

Snapshots aren't guaranteed. I virtually never push them. They maybe master or branches. Best is to build from sources.

For sure this should be automated, what about Github Action with automatic push to Github packages or something?

[michael-o]

Snapshots aren't guaranteed. I virtually never push them. They maybe master or branches. Best is to build from sources.

For sure this should be automated, what about Github Action with automatic push to Github packages or something?

Likely ASF Jenkins does, but I am not sure. @olamy do you know better?

[laeubi]

I am confused why it actually fails because the default behavior did not change...

I debugged this and there is a very slight variation that (actually) should not make a difference but I have not found out why it seems to cause an issue here.

3.8.4

https://github.com/apache/maven/blob/9b656c72d54e5bacbed989b64718c159fe39b537/maven-core/src/main/java/org/apache/maven/DefaultMaven.java#L252-L253
As repoSession.getWorkspaceReader() is null most of the time, we effectively end up with the ReactorReader itself set as the WorspaceReader instance (ChainedWorkspaceReader returns the non null item if any of both arguments are null)

3.8.5

https://github.com/apache/maven/blob/3599d3414f046de2324203b78ddcf9b5e4388aa0/maven-core/src/main/java/org/apache/maven/DefaultMaven.java#L341-L342
As one can see we always construct a ChainedWorkspaceReader

Consequence

If code in maven or quarkus using reflection, instanceof or unchecked casts that assume a ReactorReader is the real instance of the WSR the result may vary because the instance of the WSR is now different even though there is still only the ReactorReader in charge.

[olamy]

Snapshots aren't guaranteed. I virtually never push them. They maybe master or branches. Best is to build from sources.

For sure this should be automated, what about Github Action with automatic push to Github packages or something?

Likely ASF Jenkins does, but I am not sure. @olamy do you know better?

as far as I can see in Jenkinsfile, any build of master branch deploy a SNAPSHOT to https://repository.apache.org/content/groups/snapshots
@michael-o maybe this should be extended to branches 3.8.x and 3.9.x?

[laeubi]

I have searched for reference in maven itself but can't find any reference that directly uses ReactorReader (not even a unit test...) but the ReactorReader also implements MavenWorkspaceReader what is checked here (pleas also note the TODO:

https://github.com/apache/maven/blob/3599d3414f046de2324203b78ddcf9b5e4388aa0/maven-resolver-provider/src/main/java/org/apache/maven/repository/internal/DefaultArtifactDescriptorReader.java#L260-L269

The same hack exits here:
https://github.com/apache/maven/blob/3599d3414f046de2324203b78ddcf9b5e4388aa0/maven-core/src/main/java/org/apache/maven/project/artifact/MavenMetadataSource.java#L183-L189

and as ChainedWorkspaceReader does not implement this interface (but maybe should be?) so this is the only codepath where it could make a difference I can tell so far.

[laeubi]

as far as I can see in Jenkinsfile, any build of master branch deploy a SNAPSHOT to https://repository.apache.org/content/groups/snapshots

I'm missing the binary distribution here.

@michael-o maybe this should be extended to branches 3.8.x and 3.9.x?

I think that would be useful as well.

[laeubi]

as ChainedWorkspaceReader does not implement this interface (but maybe should be?)

ChainedWorkspaceReader is part of maven-resolver ... But maybe maven should simply implement its own MavenChainedWorkspaceReader?

[michael-o]

Snapshots aren't guaranteed. I virtually never push them. They maybe master or branches. Best is to build from sources.

For sure this should be automated, what about Github Action with automatic push to Github packages or something?

Likely ASF Jenkins does, but I am not sure. @olamy do you know better?

as far as I can see in Jenkinsfile, any build of master branch deploy a SNAPSHOT to https://repository.apache.org/content/groups/snapshots @michael-o maybe this should be extended to branches 3.8.x and 3.9.x?

Absolutely

[michael-o]

I have searched for reference in maven itself but can't find any reference that directly uses ReactorReader (not even a unit test...) but the ReactorReader also implements MavenWorkspaceReader what is checked here (pleas also note the TODO:

https://github.com/apache/maven/blob/3599d3414f046de2324203b78ddcf9b5e4388aa0/maven-resolver-provider/src/main/java/org/apache/maven/repository/internal/DefaultArtifactDescriptorReader.java#L260-L269

The same hack exits here: https://github.com/apache/maven/blob/3599d3414f046de2324203b78ddcf9b5e4388aa0/maven-core/src/main/java/org/apache/maven/project/artifact/MavenMetadataSource.java#L183-L189

and as ChainedWorkspaceReader does not implement this interface (but maybe should be?) so this is the only codepath where it could make a difference I can tell so far.

Those two hacks you have found are already known as severe issues of over-eagerly caching. People request to remove them. There is at least a JIRA issue for that.

[aloubyansky]

It's also not obvious for me why that commit breaks it. AFAICS, this issue can be reproduced w/o Quarkus. Here is what I see.
If I list project's dependencies in a mojo using project.getArtifacts() I see the complete list of dependencies including those from the enabled profile. However, if I resolve the project's dependencies using the repo system and session injected in the mojo, I don't see the dependencies form the enabled profile anymore.

[laeubi]

Those two hacks you have found are already known as severe issues of over-eagerly caching. People request to remove them. There is at least a JIRA issue for that.

I can verify (with a local build) that these "hacks" make the difference for quarkus. If I let ChainedWorkspaceReader implement MavenWorkspaceReader then the build works as before.

AFAICS, this issue can be reproduced w/o Quarkus.

Do you think you can provide a Unit-Test or at least an integration test for this? Because even if we fix this now, it will break again if these hacks are removed otherwise...

Funny enough this should ale be the case if there was always ever a IDE WSR in place (but probably no one notice it in that context).

[laeubi]

@olamy should I open a PR for a quick-fix?

[olamy]

@olamy should I open a PR for a quick-fix?

yup sure if you have otherwise I will look at it later today.
btw this change need to be apply to 3 branches.

[olamy]

and guys you should better talk about maven issues in a Maven place rather than here.
to be sure to have the right audience :)

[famod]

@olamy

and guys you should better talk about maven issues in a Maven place rather than here.

Right, it was just to get the ball rolling. 🙂

@laeubi

Those two hacks you have found are already known as severe issues of over-eagerly caching. People request to remove them. There is at least a JIRA issue for that.

I can verify (with a local build) that these "hacks" make the difference for quarkus. If I let ChainedWorkspaceReader implement MavenWorkspaceReader then the build works as before.

Thanks a lot for your support and for finding the root cause!

@aloubyansky so I think we need to skip 3.8.5, agreed?

[aloubyansky]

@aloubyansky so I think we need to skip 3.8.5, agreed?

Agreed.

Do you think you can provide a Unit-Test or at least an integration test for this?

@laeubi I am trying to create a more simple reproducer for now that does not involve Quarkus.

[famod]

I'll close this for now and will take another look once 3.8.6 is out.

Thanks everyone!

PS: Feel free to continue discussing here if it doesn't fit elsewhere.

[aloubyansky]

BTW, @famod looks like there is a workaround for you. If you add activation to your profile, e.g.

  <profiles>
    <profile>
      <id>image</id>
      <activation>
          <property>
              <name>image</name>
          </property>
      </activation>

and replace -Pimage with -Dimage on the command line, it'll work. So it is related to the profile activation. I'll push a simple reproducer in a bit.

[aloubyansky]

@laeubi I created a simple reproducer here https://github.com/aloubyansky/playground/tree/maven-3.8.5-profile-activation Hope it'll help.

[laeubi]

@aloubyansky as I don't know much about why/what this does reagrding the hacks @michael-o might can give a hint what the coresponding JIRA issue is so we can link it there?

[famod]

@aloubyansky excellent work on that reproducer, very nice rundown of the problem!

Do we already have a MNG ticket? If not I can create one later.

[famod]

https://issues.apache.org/jira/browse/MNG-7432

[laeubi]

and guys you should better talk about maven issues in a Maven place rather than here. to be sure to have the right audience :)

I have created https://issues.apache.org/jira/browse/MNG-7435 now.