Plugins.gradle.org serving incorrect pom

Help/Discuss Plugin Portal
1

Hello, I’ve not really used Gradle myself, but I use a tool (gtfsvtor) which uses Gradle, and its build has just stopped working. This seems to be due to this file being incorrect: https://plugins.gradle.org/m2/com/fasterxml/jackson/core/jackson-annotations/2.13.0/jackson-annotations-2.13.0.pom

In particular, it should have the SHA256 d74619b062d06e01928e365291ec26d05455783796c1085f03cc7723340f5573 (this appears in our lock files, and matches the contents served by https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.13.0/jackson-annotations-2.13.0.pom ); but it’s currently serving a file with the hash c4ec8228d74f9d9cefe11ebae9f69137479edef6277589453db374d08f1c5162

Diffing the two, it looks like the one served from plugins.gradle.org is using Windows line-endings, and is missing this section:

  <repositories>
    <repository>
      <id>sonatype-nexus-snapshots</id>
      <name>Sonatype Nexus Snapshots</name>
      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
      <releases><enabled>false</enabled></releases>
      <snapshots><enabled>true</enabled></snapshots>
    </repository>
  </repositories>

Any idea why this might have changed? The CI job which spotted this was last run 4 days ago, and was successful (it runs without any caches, so definitely fetched the same URL)

2

Here’s the lock file which no longer matches (it’s actually the gradle2nix tool which fails to build; we use that to build gtfsvtor with Nix) gradle2nix/gradle-env.json at 3f9d3cb01ab32d0514844d2f3efc0cea85278cf4 · Zipabout/gradle2nix · GitHub

That file was last changed in December 2021 (not by us; we just keep a fork in case upstream disappears), and has been working until 4 days ago.

3

Try running with --refresh-dependencies. At least for me it gives the SHA256 you exepect.
Could maybe be related to the JCenter outage where Gradle temporarily switched to a JCenter mirror, maybe that delivered the file differently.

4

Hmm, it was still giving different results (confirmed with both wget and curl); but now seems to have sorted itself out, and every tool’s giving me the correct content again. Probably related to the JCenter outage as you say.