Skip to content

build: Configure maven central for plugin management #3438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

build: Configure maven central for plugin management #3438

wants to merge 1 commit into from

Conversation

@MarcelBochtler
Copy link
Member

@MarcelBochtler MarcelBochtler commented Sep 1, 2025

By default, Gradle uses plugins.gradle.ort/m2 in order to download plugins. Unfortunately, this might result to forwarding the request to Maven Central for artifacts that cannot be found on plugins.gradle.org.
This forwarding causes rate limiting for corporations trying to scan the ORT Server with the ORT Server which will then try to download artifacts from Maven Central 1.

More information can be found in 2.

Specifically, adding mavenCentral() as plugin repository will trigger the workaround implemented in 3 where mavenCentral() will be replaced by a corporate mirror of Maven Central.

@MarcelBochtler
build: Configure maven central for plugin management
76449d8 
By default, Gradle uses `plugins.gradle.ort/m2` in order to download
plugins. Unfortunately, this might result to forwarding the request to
Maven Central for artifacts that cannot be found on
`plugins.gradle.org`.
This forwarding causes rate limiting for corporations trying to scan the
ORT Server with the ORT Server which will then try to download artifacts
from Maven Central [1].

More information can be found in [2].

Specifically, adding `mavenCentral()` as plugin repository will trigger
the workaround implemented in [3] where `mavenCentral()` will be
replaced by a corporate mirror of Maven Central.

[1]: https://www.sonatype.com/blog/beyond-ips-addressing-organizational-overconsumption-in-maven-central
[2]: https://blog.gradle.org/maven-central-mirror
[3]: eclipse-apoapsis#3304

Signed-off-by: Marcel Bochtler <[email protected]>
@mnonnenmacher
Copy link
Contributor

mnonnenmacher commented Sep 1, 2025

As an alternative, maybe it is possible to add Maven Central as a plugin repository in the init.gradle.kts template, then this should work as a generic solution for all projects?

@sschuberth
Copy link
Contributor

sschuberth commented Sep 1, 2025

Specifically, adding mavenCentral() as plugin repository will trigger the workaround implemented in 3 where mavenCentral() will be replaced by a corporate mirror of Maven Central.

I thought that work-around would only apply to the runtime of ORT Server. But this change applies to the build time of ORT Server, or?

@mnonnenmacher
Copy link
Contributor

mnonnenmacher commented Sep 1, 2025

Specifically, adding mavenCentral() as plugin repository will trigger the workaround implemented in 3 where mavenCentral() will be replaced by a corporate mirror of Maven Central.

I thought that work-around would only apply to the runtime of ORT Server. But this change applies to the build time of ORT Server, or?

The problem is that the init scrip template allows configuring a mirror for Maven Central, but this does not work for the automatic fallback of the Gradle plugin portal to Maven Central (it redirects to Maven Central if a plugin is requested which it does not contain). So adding Maven Central as a plugin repository before the plugin portal works around that because all plugins contained in Maven Central are not requested from the plugin portal anymore. This allows us to analyze this repository in our infrastructure where we would otherwise get 429 responses from Maven Central.

However, I think it would be better to find a generic solution that does not require modifying the analyzed projects, like adapting the init script to inject Maven Central as a plugin repository (if this works).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bs-ondem bs-ondem Awaiting requested review from bs-ondem bs-ondem will be requested when the pull request is marked ready for review bs-ondem is a code owner

@mnonnenmacher mnonnenmacher Awaiting requested review from mnonnenmacher mnonnenmacher will be requested when the pull request is marked ready for review mnonnenmacher is a code owner

@nnobelis nnobelis Awaiting requested review from nnobelis nnobelis will be requested when the pull request is marked ready for review nnobelis is a code owner

@oheger-bosch oheger-bosch Awaiting requested review from oheger-bosch oheger-bosch will be requested when the pull request is marked ready for review oheger-bosch is a code owner

@sschuberth sschuberth Awaiting requested review from sschuberth sschuberth will be requested when the pull request is marked ready for review sschuberth is a code owner

@wkl3nk wkl3nk Awaiting requested review from wkl3nk wkl3nk will be requested when the pull request is marked ready for review wkl3nk is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MarcelBochtler @mnonnenmacher @sschuberth