rules_jvm_external icon indicating copy to clipboard operation
rules_jvm_external copied to clipboard

Published 20 hours ago verified publisher icon bazelbuild

pinned URL fluctuates for multi-homed JARs

Open dhalperi opened this issue 3 years ago • 0 comments

In one of our projects, we use Shibboleth. Shibboleth has its own Maven repository, and some of the jars are only hosted there. Others are hosted both there and on Maven central.

We use multiple repositories in WORKSPACE:

   repositories = [
        "https://repo1.maven.org/maven2",
        "https://build.shibboleth.net/nexus/content/repositories/releases/",
    ],

What I'm seeing is that, when I rerun @unpinned_maven//:pin, the URLs for the dual-hosted JARs fluctuate in an unpredictable way. This tends to make it harder to review updates to dependencies.

Example snippet:

                 "sha256": "66a625c240ce6708549b632e8e73f8a6d526c58aeb7b75d41f3bcfe48413f04e",
-                "url": "https://repo1.maven.org/maven2/net/shibboleth/ext/spring-extensions/6.0.0/spring-extensions-6.0.0-sources.jar"
+                "url": "https://build.shibboleth.net/nexus/content/repositories/releases/net/shibboleth/ext/spring-extensions/6.0.0/spring-extensions-6.0.0-sources.jar"
             },

Wondering if it's possible to make the lockfile deterministic in these cases.

dhalperi avatar Jun 09 '21 20:06 dhalperi