Skip to content

bazel: Use https to download from Maven Central #6543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ejona86 merged 1 commit into from
Dec 18, 2019
Merged

bazel: Use https to download from Maven Central #6543

ejona86 merged 1 commit into from
Dec 18, 2019

Conversation

@ejona86
Copy link
Member

@ejona86 ejona86 commented Dec 18, 2019

central.maven.org shouldn't have been used in the first place as it isn't one
of the canonical URLs to Maven Central, but even more importantly we want to
use https. The previous URL will probably stop working January 15, 2020[1][2].

Fixes #6536

  1. https://central.sonatype.org/articles/2019/Apr/30/http-access-to-repo1mavenorg-and-repomavenapacheorg-is-being-deprecated/
  2. https://central.sonatype.org/articles/2019/Nov/15/non-canonical-urls-will-be-redirected-today/

@ejona86
bazel: Use https to download from Maven Central
319e515 
central.maven.org shouldn't have been used in the first place as it isn't one
of the canonical URLs to Maven Central, but even more importantly we want to
use https. The previous URL will probably stop working January 15, 2020[1][2].

Fixes grpc#6536

1. https://central.sonatype.org/articles/2019/Apr/30/http-access-to-repo1mavenorg-and-repomavenapacheorg-is-being-deprecated/
2. https://central.sonatype.org/articles/2019/Nov/15/non-canonical-urls-will-be-redirected-today/
@ejona86 ejona86 requested a review from dapengzhang0 December 18, 2019 17:38
@ejona86 ejona86 added the TODO:backport PR needs to be backported. Removed after backport complete label Dec 18, 2019
sanjaypujare
sanjaypujare reviewed Dec 18, 2019
View reviewed changes
repositories.bzl
name = "com_google_android_annotations",
artifact = "com.google.android:annotations:4.1.1.4",
server_urls = ["http://central.maven.org/maven2"],
server_urls = ["https://repo.maven.apache.org/maven2/"],
Copy link
Contributor

@sanjaypujare sanjaypujare Dec 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is "https://repo.maven.apache.org/maven2/" preferred over "https://repo1.maven.org/maven2" ? Wondering why not use a "maven.org" URL.

Copy link
Contributor

@dapengzhang0 dapengzhang0 Dec 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems they are resolved to different ip addresses, can we add both?

Copy link
Member Author

@ejona86 ejona86 Dec 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://central.sonatype.org/articles/2018/Dec/17/ssl-endpoints/ talks about the two canonical URLs. I learned of repo.maven.apache.org as part of gradle/gradle#3463 . It's hard to tell exactly, but it seems Maven recommends repo.maven.apache.org (maybe because they control it) but Sonatype (Maven Central itself) tends to recommend repo1.maven.org (maybe because they control it, or they have out-dated documentation).

Copy link
Member Author

@ejona86 ejona86 Dec 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be more clear: yes, maven.org is not controlled by the Maven project, but instead a commercial entity that grew out of the Maven project.

Copy link
Contributor

@sanjaypujare sanjaypujare Dec 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding both seems to be a good idea if they are actually different servers (I thought one of them was just a redirect).

Copy link
Member Author

@ejona86 ejona86 Dec 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maven and Gradle both only use a single of the two URLs. I don't see much advantage in using both. Both should be behind a CDN, so each probably have many IPs.

@ejona86 ejona86 merged commit a4299eb into grpc:master Dec 18, 2019
@ejona86 ejona86 deleted the bazel-https branch December 18, 2019 18:24
This was referenced Dec 19, 2019
Merged
Merged
Merged
Merged
@ejona86
Copy link
Member Author

ejona86 commented Dec 19, 2019

I've backported this as far as 1.23, since this will probably blind-side users. I can backport further back if necessary.

@ejona86 ejona86 mentioned this pull request Jan 16, 2020
Closed
@ejona86 ejona86 removed the TODO:backport PR needs to be backported. Removed after backport complete label Feb 12, 2020
@lock lock bot locked as resolved and limited conversation to collaborators Mar 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@dapengzhang0 dapengzhang0 dapengzhang0 approved these changes

@sanjaypujare sanjaypujare sanjaypujare left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@dapengzhang0 dapengzhang0

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

repositories.bzl uses http (not https)

3 participants

@ejona86 @dapengzhang0 @sanjaypujare