Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gradle module metadata not published for reactor-core 3.3.5 #2151

Closed
janekbettinger opened this issue May 8, 2020 · 12 comments
Closed

Gradle module metadata not published for reactor-core 3.3.5 #2151

janekbettinger opened this issue May 8, 2020 · 12 comments
Labels
type/bug A general bug type/chores A task not related to code (build, formatting, process, ...)
Milestone
3.2.18.RELEASE

Comments

@janekbettinger
Copy link

Current Behavior:

reactor-core 3.3.5 was published with a Gradle module metadata declaration in its POM file (published-with-gradle-metadata), however, the corresponding .module file is missing in the Maven Central repository.

Expected Behavior:

  1. reactor-core is published with Gradle module metadata and the .module file is published together with the POM and JAR file
  2. or reactor-core is published without Gradle module metadata and does not declare it in the POM file
@janekbettinger
Copy link
Author

This issue might be caused by the rather old Artifactory plugin:

reactor-core/build.gradle

Line 36 in a802238

id "com.jfrog.artifactory" version "4.9.8" apply false

The publication of Gradle metadata seems to be supported since version 4.11 only (jfrog/build-info#247 jfrog/build-info#265).

@simonbasle
Copy link
Member

hi @kroka and thanks for reporting!

Can you give more details as to how to reproduce the issue, and whether or not it blocks you from depending on reactor at all? I tried to create a Gradle project that imports the BOM and depends on 3.3.5 as a result, both with Gradle 5.x and 6.x, and couldn't get it to complain about the missing deployed metadata.

Note that nonetheless it is a publication issue that we'll need to fix one way or another. I'm just wondering if it should trigger a release early than the next planned one, which is end of June.

@simonbasle simonbasle added status/cannot-reproduce We cannot reproduce this issue. A repro case would help. type/chores A task not related to code (build, formatting, process, ...) labels May 13, 2020
@simonbasle simonbasle added this to the 3.3.6.RELEASE milestone May 13, 2020
@simonbasle simonbasle added the for/user-attention This issue needs user attention (feedback, rework, etc...) label May 13, 2020
@janekbettinger
Copy link
Author

Hi,

for most users that retrieve the artifacts from Maven Central or JCenter the missing module file is no problem as they will get a HTTP status 404 for it and Gradle will simply ignore it. With Gradle 5 it's also no problem as it does not work with Gradle module metadata.

In our projects we use JFrog Artifactory (which kind of proxies the Maven Central repo) that, however, returns 401 instead of 404. While this can be considered as wrong behavior of the Artifactory, the root cause is the invalid POM file / missing module file.
Due to this we cannot build projects with reactor-core 3.3.5 (and thus cannot use the latest Spring Boot version 2.2.7). So this is really a blocking issue for us and, unfortunately, we have not found a good workaround, yet (like downgrading rsocket from Spring dependencies).

Issue in Artifactory:

Issue in Gradle

We observed the invalid POM files in our projects, too, and solved it by updating the Artifactory plugin.
Alternatively, Gradle module metadata could be disabled like the guys from rsocket did in rsocket/rsocket-java#746 (motivated by spring-projects/spring-boot#20348). In the latter case the comment [...] <!-- do_not_remove: published-with-gradle-metadata --> disappears from the POM file and Gradle will not try do download a corresponding .module file.

I hope this helps understanding why this is an issue. It's a little thing but has an impact ;)

Best regards,
kroka

@simonbasle
Copy link
Member

I think we'll amend the build to avoid generating module metadata. As far as I can see, it doesn't seem to easily support optional dependencies so 🤷

@bclozel @wilkinsona did you ever come across the case of optional dependencies and found a workaround ? I'm aware that you're moving away from publishing the module metadata too, but that it is due to the lack of support for exclusions

@simonbasle
Copy link
Member

@kroka since it doesn't seem to affect users that fetch via bintray, the Spring artifactory or Maven Central (as these all give 404), we'll stick to the plan of releasing 3.3.6 in June for now.

one workaround I can think about is to checkout the project locally and generate the module metadata:

git checkout v3.3.5.RELEASE
./gradlew publishToMavenLocal -x check
cd ~/.m2/repository/io/projectreactor/reactor-core/3.3.5.RELEASE

Then you should technically be able to add the reactor-core-3.3.5.RELEASE.module file to the company's Artifactory, as it allows manually adding files to a given folder IIRC.

The drawback would be that for 3.3.5 you'd inherit strong dependencies instead of optional ones:

        {
          "group": "com.google.code.findbugs",
          "module": "jsr305",
          "version": {
            "requires": "3.0.2"
          }
        },
        {
          "group": "org.slf4j",
          "module": "slf4j-api",
          "version": {
            "requires": "1.7.12"
          }
        },
        {
          "group": "io.micrometer",
          "module": "micrometer-core",
          "version": {
            "requires": "1.3.0"
          }
        },
        {
          "group": "org.jetbrains.kotlin",
          "module": "kotlin-stdlib",
          "version": {
            "requires": "1.3.71"
          }
        },
        {
          "group": "io.projectreactor.tools",
          "module": "blockhound",
          "version": {
            "requires": "1.0.3.RELEASE"
          }
        }

@wilkinsona
Copy link
Contributor

@simonbasle What's the problem with optional dependencies? We're publishing Gradle module metadata for spring-boot-autoconfigure which has numerous optional dependencies without any problems. The exclusions limitation only affects a single module in Spring Boot (spring-boot-dependencies) so we'll stop publishing the metadata for that one module, but carry on publishing it for all the others.

@simonbasle
Copy link
Member

@wilkinsona from what I can see when doing a publishToMavenLocal with Gradle 6.3 in reactor, the generated .module lists the versions as above. All these versions in my previous comment are <optional>true</optional> in the pom.xml.

But of course, that is the result of a customization in a withXml() block...
That is done by iterating through the dependencies listed under the optional configuration provided IIRC by propdeps plugin ('org.springframework.build.gradle:propdeps-plugin:0.0.7').

And so, when I try to create a Gradle project that depends on these artifacts with the generated .module in the local maven repo, I get the whole bunch of transitive dependencies. If I remove the .module then I don't get the transitive dependencies.

Is that not the case with Spring Boot ?

@simonbasle simonbasle removed the status/cannot-reproduce We cannot reproduce this issue. A repro case would help. label May 13, 2020
@wilkinsona
Copy link
Contributor

Ah, the propdeps plugin. We don't use it in Boot for a few reasons, this being one of them. We have our own OptionalDependenciesPlugin that we use instead. Framework has a copy of it too. It's starting to feel like we should extract it into a spring-gradle-plugins project so it can be shared without copy-paste.

@janekbettinger
Copy link
Author

@simonbasle thank you for the comprehensive feedback! I agree and think that there is no need for an earlier release given that not all users are affected and that the issue we have is rather caused by multiple aspects.

simonbasle added a commit that referenced this issue May 14, 2020
@simonbasle
fix #2151 Allow publication of Gradle metadata, without optional deps
1af83f7 
This commit:
 - removes propdeps plugin, known to now be problematic
 - uses a simplified local buildSrc plugin to provide the optional scope

Additionally it fixes building kotlin code by ensuring both reactor-core
and reactor-test declare an optional dependency to Kotlin stdlib.

The custom plugin should result in a Gradle module metadata file that
doesn't contain references to optional dependencies.

Last but not least, the JFrog Artifactory Gradle plugin has been bumped
to 4.15.2, as versions below 4.11 are known to prevent
distribution of the .module file to Artifactory.
@simonbasle simonbasle added type/bug A general bug and removed for/user-attention This issue needs user attention (feedback, rework, etc...) labels May 14, 2020
simonbasle added a commit that referenced this issue May 19, 2020
@simonbasle
Merge #2151 into 3.3.6
b40b8db
simonbasle added a commit that referenced this issue May 19, 2020
@simonbasle
Merge #2151 into 3.4.0-M1
cf38eef
@santoshkumarcts
Copy link

santoshkumarcts commented May 21, 2020
edited
Loading

@kroka facing the same issue, any work around ?

@janekbettinger
Copy link
Author

@santoshkumarcts we do not have a good workaround, but I haven't spent too much time on it (had some struggle with permissions for pushing to the company's Artifactory from my local machine). Right now we stick with Spring Boot 2.2.4 and Spring Cloud Hoxton SR2. A downgrade to Gradle 5.6 should do the job, too, if it does not break your Gradle scripts.

@janekbettinger
Copy link
Author

@santoshkumarcts this seems to work:

implementation platform("org.springframework.boot:spring-boot-dependencies:${springBootVersion}")
implementation platform("org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}")

// work around https://github.com/reactor/reactor-core/issues/2151
implementation('io.projectreactor:reactor-core:3.3.4.RELEASE') {
        force = true
}

with Spring Boot 2.3.0.RELEASE and Spring Cloud Hoxton.SR2 (due to rsocket/rsocket-java#746 downgrading to RC5 did not work on first trial).

If you use the Gradle Spring Dependency Management plugin you'll probably have to set the reactor version by a property: https://docs.spring.io/spring-boot/docs/2.3.0.RELEASE/reference/htmlsingle/#dependency-versions-properties

@simonbasle simonbasle mentioned this issue Jul 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug A general bug type/chores A task not related to code (build, formatting, process, ...)
Projects
None yet
Milestone
3.2.18.RELEASE
Development

No branches or pull requests
4 participants
@wilkinsona @janekbettinger @simonbasle @santoshkumarcts