Resolving release version ranges causes snapshot repositories to be queried for metadata

[ctubbsii]

Affected version

3.9.9

Bug description

When resolving a version range, the Maven resolution will query metadata from all configured repositories, without regard to whether that repository is enabled for snapshots or not. However, it seems that the default resolution behavior is to exclude snapshot versions from resolution unless at least one of the bounds of the range refers to a snapshot version. So, most version ranges should not need to query repositories that are configured for snapshots only.

This is a problem because unnecessary queries can cause performance problems, and can even lead to blocks/bans.

If the version range does not contain a snapshot version in its bounds, only repositories configured for releases should be queried. Any repositories configured for snapshots only should be excluded, and should never be queried, as they should only be used for snapshots, and snapshot versions should already be excluded from a possible the resolution of the range.

Because of this bug, even a properly configured project, that only uses a snapshot repository in a limited way during development, can be affected by introducing a version range anywhere in a project's dependency tree.

In summary: when resolving release version ranges, snapshot repositories should be excluded from consideration before any metadata is queried.

This is related to:

• PR Avoid unnecessarily accessing snapshot repositories accumulo#5709 attempts to work around the issue for Apache Accumulo developers, where it appears that a version range in a transitive dependency on bouncycastle caused those developers to be blocked by too many 404s against repository.apache.org, when repository.apache.org should never have been queried for bouncycastle, but it was because of this bug
• PR [MPOM-451] Move snapshot repositories in a profile maven-apache-parent#183 removes the snapshot from the Apache parent POM by default
• Issue Documentation says that version ranges should not resolve to SNAPSHOT, but SNAPSHOT repos are still queried maven-enforcer#906 highlights that the linked documentation about version ranges excludes SNAPSHOTS unless a snapshot version is explicitly one of the bounds of the version range
• Comment at MPOM-451 indicates correctly that this behavior can lead to being blocked by INFRA for too many 404s

This probably affects earlier versions, but 3.9.9 is the earliest I've tried.

There are several workarounds, but none of them are perfect. Here are two:

1. Avoid version ranges using a maven-enforcer-plugin rule against dynamic versions. While I agree that version ranges should generally be avoided, they do have some valid use cases.
2. Ensure that no pom or settings have any snapshot repositories enabled. This may not be practical, because there may be a need to use some SNAPSHOT versions on occasion, during development. In these cases, the resolution of version ranges for releases should not cause the snapshot repository to be queried. Only the resolution of the snapshot dependency should cause the snapshot repository to be queried.

[cstamas]

Reproducer: https://github.com/cstamas/maven-2558

[cstamas]

Reproducer clearly shows this is in fact right: "When resolving a version range, the Maven resolution will query metadata from all configured (remote) repositories". And it was always like that. In fact, I was doing some archaeological research, and the timeline is like following:

• Maven 2 ranges did include snapshots (but was very buggy impl wise)
• some early Maven 3 (maybe even alpha) decided to exclude snapshots from ranges MNG-3092
• then users uproar reverted this again (see issue comment https://issues.apache.org/jira/browse/MNG-4751?focusedCommentId=14416435&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14416435)
• so today, as reproducer shows. range will take into account snapshots as well (also, as 2.0-SNAPSHOT < 2.0, it may be even selected, see reproducer). And this was always like this in Maven 3 history as I see.

There are two confronted user base: one want snapshots in ranges, other does not (see issues, esp https://issues.apache.org/jira/browse/MNG-4751?focusedCommentId=14416435&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14416435 ) - so to have them on not have is clearly a "controversial" issue, breaks us or them.

Sadly, I don't know how could this be expressed even, as today [x,y], no matter are x and y release or snapshot versions, will include snapshots.

The good news: all this is sorted out in Maven 4.

Filter support (and will be enhanced, as you want ns -- no snapshots filter):
https://maven.apache.org/ref/4-LATEST/apidocs/org/apache/maven/api/Constants.html#MAVEN_VERSION_FILTER

Also updated the reproducer to reflect it.

In your case "contextual snapshot filter" should do the trick (if parent artifact is not snapshot but has a range on something, the selection version is not allowed to be snapshot -- this is the essence of "contextual snapshot filter"). We will also add ns that is "unconditional snapshot filter" and modifies Maven to never choose snapshot out of range.

[cstamas]

And as we discussed on other PR, another thing is RRF, basically "making Maven aware what repo may (or may not) have".

[ctubbsii]

Sadly, I don't know how could this be expressed even, as today [x,y], no matter are x and y release or snapshot versions, will include snapshots.

This old documentation that maven-enforcer-plugin still links to says that the snapshots will only be included if they are explicitly in the boundaries of the range. That seems like a sensible compromise:

# pseudo-code
bool includeSnapshotRepos = lowerBound.isSnapshot() || upperBound.isSnapshot()
foreach (repository : allConfiguredRepositories):
  if (includeSnapshotRepos || repository.hasReleasesEnabled):
    metadataRequests.add(repository)

The good news: all this is sorted out in Maven 4.

I was looking at the Maven 4 code in the master branch, and while I couldn't follow all the code, it looked to me like the DefaultVersionRangeResolver was still creating metadata requests for all configured repositories, and filtering out snapshots afterwards, rather than excluding snapshot-only repositories. So, I'm not so sure it is all sorted out in Maven 4.

And as we discussed on other PR, another thing is RRF, basically "making Maven aware what repo may (or may not) have".

I saw this behavior in 3.9.9 and 3.9.10, which I understand uses RRF. I'm not so sure the code path for version range resolution respects the RRF filtering, because it's going directly to the groupId/artifactId (GA) to look at the maven-metadata.xml files for that GA. It doesn't look like RRF helps here.

[cstamas]

I saw this behavior in 3.9.9 and 3.9.10, which I understand uses RRF. I'm not so sure the code path for version range resolution respects the RRF filtering, because it's going directly to the groupId/artifactId (GA) to look at the maven-metadata.xml files for that GA. It doesn't look like RRF helps here.

While RRF was rolled out in Maven 3.9.0 we usually keep new features dormant (not enabled) to not disrupt existing builds, potentially breaking them. Still, the "vanilla" RRF (that present in Maven) needs manual setup (ie downloading prefix files and putting them into repo, like original "demo" did: https://github.com/cstamas/rrf-demo).

Maveniverse Heimdall goes step beyond, and does not require user to download and check in potentially huge files to their repo, instead it handles them as "repo metadata" (but alas, that also needed a fix in resolver due other things, hence vanilla is broken by that too; and again, Heimdall brought fix to core apache/maven-resolver#1503 ) so things are "trickling down", but part of these are in resolver, then Maven release needs to pick it up.... it's just faster to have externally (and quickly) released extension, while all the pieces fall back in their place.

If not clear: Maveniverse is "skunkworks" for Maven, done by Maven devs, and made components will ultimately fall in (or not, like Mason) Maven project.

[ctubbsii]

If not clear: Maveniverse is "skunkworks" for Maven, done by Maven devs, and made components will ultimately fall in (or not, like Mason) Maven project.

That's definitely not clear. It seems like it would be better to have a proper space inside the ASF Maven community for such experiments, to enable more community members to participate and engage in the future direction of the Maven project. If this is a well established thing among the "core" Maven developer community, it could be viewed as an exclusionary space, where the Maven developer "elites" work without input from the community.

[cstamas]

Well, each and every Maveniverse project did start as a response to users outcry (Maven or Resolver and later others). Doing things for community was really the first idea (I am around Maven since 2005). But doing it from within ASF is a bit more complicated and time consuming (and sometimes not in the best way; also see below).

Check out every Maveniverse repository, it is usually some external user (having an itch) and me, or Guillaume.

JBang was first to pick up MIMA, and it spread quite quickly, as using Resolver was a pain in many places for many projects. Then Toolbox (was like m-dependency-p on steroids, or "we should do it better" but grew past that), then Nisse (it was Mojohaus contribution that ended up here), and finally Mimir (my own caching issues, later Maven CI), Njord (Central Portal and sun setting of OSS/S01) and Heimdall (I build many times many different projects and got frozen by things I see; but also even our own PMCs getting banned from ASF due 404s). Also, counterexample: Maven project voted to not host Mason (Maven4 polyglot extension), so it ended up there as well.

This is basically due ASF: even if we are genuinely ASF Maven project devs, we cannot say that on a non ASF site. And we all loved Codehaus, so it goes a bit in that spirit 😄

[cstamas]

One thing remains unclear to me: Maven (even with -U or always repo policy) will ask for metadata once per session.

Like the (modified) reproducer: https://gist.github.com/cstamas/b274de19cb839b6ff15311c81880cd89
(2nd module depends on same artifact but with different range; but as maven metadata was already asked in session, is not asked again, even with -U on command line)

So, how is that one 404 (ask for bouncycastle) GA maven-metadata.xml request related to ASF blocking? How did blocking exactly happened?