bazel: Use https to download from Maven Central#6543
Conversation
central.maven.org shouldn't have been used in the first place as it isn't one of the canonical URLs to Maven Central, but even more importantly we want to use https. The previous URL will probably stop working January 15, 2020[1][2]. Fixes grpc#6536 1. https://central.sonatype.org/articles/2019/Apr/30/http-access-to-repo1mavenorg-and-repomavenapacheorg-is-being-deprecated/ 2. https://central.sonatype.org/articles/2019/Nov/15/non-canonical-urls-will-be-redirected-today/
ejona86
added
the
TODO:backport
| name = "com_google_android_annotations", | ||
| artifact = "com.google.android:annotations:4.1.1.4", | ||
| server_urls = ["http://central.maven.org/maven2"], | ||
| server_urls = ["https://repo.maven.apache.org/maven2/"], |
There was a problem hiding this comment.
Is "https://repo.maven.apache.org/maven2/" preferred over "https://repo1.maven.org/maven2" ? Wondering why not use a "maven.org" URL.
There was a problem hiding this comment.
Seems they are resolved to different ip addresses, can we add both?
There was a problem hiding this comment.
https://central.sonatype.org/articles/2018/Dec/17/ssl-endpoints/ talks about the two canonical URLs. I learned of repo.maven.apache.org as part of gradle/gradle#3463 . It's hard to tell exactly, but it seems Maven recommends repo.maven.apache.org (maybe because they control it) but Sonatype (Maven Central itself) tends to recommend repo1.maven.org (maybe because they control it, or they have out-dated documentation).
There was a problem hiding this comment.
To be more clear: yes, maven.org is not controlled by the Maven project, but instead a commercial entity that grew out of the Maven project.
There was a problem hiding this comment.
Adding both seems to be a good idea if they are actually different servers (I thought one of them was just a redirect).
There was a problem hiding this comment.
Maven and Gradle both only use a single of the two URLs. I don't see much advantage in using both. Both should be behind a CDN, so each probably have many IPs.
|
I've backported this as far as 1.23, since this will probably blind-side users. I can backport further back if necessary. |
ejona86
removed
the
TODO:backport
3 participants
central.maven.org shouldn't have been used in the first place as it isn't one
of the canonical URLs to Maven Central, but even more importantly we want to
use https. The previous URL will probably stop working January 15, 2020[1][2].
Fixes #6536