apache
maven-jar-plugin can create invalid Multi-Release jars
Affected version
3.4.2
Bug description
When maven-jar-plugin is used to create a Multi-Release jar, it doesn't check that the jars are valid.
The jar tool will validate that the APIs of all versioned classes are the same, and report an error like the following if they are not
entry: META-INF/versions/.../Foo.class, contains a class with different api from earlier version
invalid multi-release jar file ... deleted
Since JDK 17 (JDK-8266835), the jar tool supports a --validate flag that can be used to validate archives created by other tools. So one option would be to re-use that, or have a recommended way to run jar --validate on the outputs of maven-jar-plugin.
Here are two examples where this came up with jars created by maven-jar-plugin
- https://github.com/unitsofmeasurement/indriya/issues/348
- https://github.com/raphw/asm-jdk-bridge/issues/11
Yes, I plan to work on that. Following the recent work merged on the compiler plugin, I propose to upgrade the JAR plugin to the JPMS world as well. This work would imply using the jar tool provided by javax.tools API rather than zipping the file ourselves. In my understanding of JDK-8266835, the jar tool already verifies the validity of the multi-release file when these files are created with the --release option rather than zipping ourselves the content of META-INF/versions/. Therefore, we would not need to run jar --validate afterwards.
