Details
Description
When using a mirror to replace a repository and Maven fails
to retrieve an artifact from the mirror, the log messages
conflict on the actual URL that the download attempt was to.
Example of this behavior is below.
09/29/10 21:12:43 /cm/somepath/project |[DEBUG] Trying repository central
09/29/10 21:12:43 /cm/somepath/project |Downloading:
https://somemirror.org:8081/nexus/content/groups/bncbuild/org/apache/felix/maven-bundle-plugin/2.0.1/maven-bundle-plugin-2.0.1.pom
09/29/10 21:12:43 /cm/somepath/project |[DEBUG] Unable to get resource 'org.apache.felix:maven-bundle-plugin:pom:2.0.1' from repository central (http://repo1.maven.org/maven2): Error transferring file
The second log statement indicates that the file was being downloaded
from somemirror.org. The last log statement conflicts with second, indicating
instead that the connection was to repo1.maven.org. Seeing an attempt to
download from a repository outside our firewall worries the security
folk at our company. The expected result would be for the log to
indicate the actual URL it is going to or at least indicate that
the repository's URL is being overridden by a mirror.
Investigation points to the problem log statement being
in org.apache.maven.artifact.manager.DefaultWagonManager.getArtifact(), line 341.
http://svn.apache.org/viewvc/maven/maven-2/tags/maven-2.2.0/maven-artifact-manager/src/main/java/org/apache/maven/artifact/manager/DefaultWagonManager.java