clojars

Janet A. Carr 2024-01-16T00:29:26.218609Z

I'm not sure if I'm doing something wrong, but I just deployed a jar to clojars but I keep getting this error but the jar exists on clojars https://clojars.org/com.janetacarr/quadtree-cljc. All I did for this version was add a license via (write-pom {:pom-data...}) in my build.clj

Error building classpath. Could not find artifact com.janetacarr:quadtree-cljc:jar:0.1.3 in central ()

seancorfield 2024-01-16T00:38:59.403049Z

https://repo.clojars.org/com/janetacarr/quadtree-cljc/0.1.3/ -- looks like you uploaded the -standalone JAR which would be the application, rather than the library JAR?

Janet A. Carr 2024-01-16T00:39:46.865269Z

There's no application, but does the name of the jar itself matter?

seancorfield 2024-01-16T00:42:48.379899Z

Apparently, yes. I would sort of expected deps-deploy to handle that renaming for you...

Janet A. Carr 2024-01-16T00:44:54.328409Z

oh so the jar should be named quadtree-cljc-0.1.3.jar then ?

seancorfield 2024-01-16T00:46:02.023569Z

That should work, yes. You'll have to deploy 0.1.4 now, but...

seancorfield 2024-01-16T00:46:20.567369Z

No wait, let me check one of my projects...

seancorfield 2024-01-16T00:47:11.383569Z

https://github.com/seancorfield/next-jdbc/blob/develop/build.clj#L55 -- yeah, lib-version.jar

seancorfield 2024-01-16T00:48:07.633269Z

(although in my case that path ends up being target/com.github.seancorfield/next.jdbc-1.3.909.jar -- but the trailing part is artifactID-version.jar)

Alex Miller (Clojure team) 2024-01-16T00:48:43.102709Z

the maven deploy plugin renames the jar to this format

seancorfield 2024-01-16T00:49:07.619529Z

But deps-deploy does not, it seems.

Alex Miller (Clojure team) 2024-01-16T00:50:18.962339Z

or maybe it's nexus that renames it, I guess I'm not sure where that happens exactly, but when it ends up in the repo it has to follow the repo naming conventions to be found

seancorfield 2024-01-16T00:50:58.155099Z

This is for Clojars -- so maybe that's why there's no renaming?

seancorfield 2024-01-16T00:52:26.416789Z

This does work by the way:

clojure -Sdeps '{:deps {com.janetacarr/quadtree-cljc$standalone {:mvn/version "0.1.3"}}}'
by virtue of how classifiers work (`$thing` maps to -thing in your JAR file name).

Janet A. Carr 2024-01-16T00:53:01.185799Z

ah so it is the jar name then

Alex Miller (Clojure team) 2024-01-16T00:53:19.748909Z

(this is orthogonal, but I notice there is an older 0.1.14 version - maybe a typo when deployed, and by Maven version comparison rules that will look newer than 0.1.3 or 0.1.4)

seancorfield 2024-01-16T00:53:33.654809Z

(so I guess that's why there is no renaming here -- because <artifact>-<classifier>-<version>.jar is perfectly reasonalbe)

Janet A. Carr 2024-01-16T00:54:16.249239Z

@alexmiller yes, a mistake. 😅

seancorfield 2024-01-16T00:54:33.023739Z

https://repo.clojars.org/com/janetacarr/quadtree-cljc/0.1.0/ has the only version that would work directly -- without -standalone

Alex Miller (Clojure team) 2024-01-16T00:54:46.430579Z

when you do a maven deploy you either tell it coords or give it a pom that has them - it will write the jar to the place according to those coords. I guess maybe the clojars upload doesn't do the same when publishing

Alex Miller (Clojure team) 2024-01-16T00:55:35.516029Z

seems like that would be a good thing for clojars to at least validate (coords match the artifact name)

Janet A. Carr 2024-01-16T00:55:54.637629Z

@seancorfield that's funny because 0.1.0 is the only version built with your build-clj lib haha

seancorfield 2024-01-16T00:56:07.952189Z

Sane defaults 🙂

seancorfield 2024-01-16T00:56:47.814629Z

This is why https://clojure-doc.org/articles/cookbooks/cli_build_projects/ exists now instead 🙂

Janet A. Carr 2024-01-16T00:57:02.629379Z

@alexmiller that'd be nice.

Janet A. Carr 2024-01-16T00:57:21.577749Z

I have half reading the cookbook haha

seancorfield 2024-01-16T00:58:07.348719Z

I wonder how clojars / deps-deploy should handle multiple artifacts with classifiers...? Although that's a question for a different thread I guess 🙂

Janet A. Carr 2024-01-16T00:58:14.316679Z

@alexmiller @seancorfield that was the problem. 0.1.4 works 🙂

👍🏻 1
Janet A. Carr 2024-01-16T00:58:49.124539Z

I think I have a blog post to update somewheres.... Anyways thanks to the both of you!

seancorfield 2024-01-16T01:02:14.669469Z

I'll add a note to http://clojure-doc.org and also chat to Erik about deps-deploy helping prevent this. https://github.com/clojure-doc/clojure-doc.github.io/issues/68

🙌 1
Alex Miller (Clojure team) 2024-01-16T01:38:15.458439Z

multiple artifacts with different classifiers all share the same pom and usually they are uploaded as part of the same deployment (with normal maven deploy plugin)

2024-01-16T12:12:18.058429Z

> when you do a maven deploy you either tell it coords or give it a pom that has them - it will write the jar to the place according to those coords. I guess maybe the clojars upload doesn't do the same when publishing > seems like that would be a good thing for clojars to at least validate (coords match the artifact name) Clojars does verify that the version, group, and artifact name you are trying to deploy (via the path) matches what is in the pom. It doesn't parse the version from the jar file name to confirm that though. Did you see an example where there was a mismatch? I didn't see a mismatch in any version of this project. And I think Clojars did the right thing here otherwise unless it should be invalid to deploy a classified jar without a non-classified one.

seancorfield 2024-01-16T18:19:17.869709Z

@tcrawley The issue was that Janet uploaded <artifact>-standalone-<version>.jar via deps-deploy and that is a perfectly valid pattern -- it just treats standalone as a classifier -- so it can be depended on if you add $standalone to the group/artifact libname. So the libname and version part matched, and Clojars allows for classifiers -- and Clojars accepted it (correctly, IMO).

2024-01-16T18:42:47.675349Z

Thanks @seancorfield! I got that part, I was just curious if @alexmiller spotted a version inconsistency while looking at this, given the above statements. I agree that I think Clojars is doing the correct thing otherwise.

Alex Miller (Clojure team) 2024-01-16T19:22:55.597499Z

wasn't the intent to NOT use a classifier though?

Alex Miller (Clojure team) 2024-01-16T19:23:15.968609Z

maybe I misunderstood

2024-01-16T19:25:57.785929Z

With maven deployment, that's how a classifier is specified to the server (in the jar name). So Clojars has no way to know that wasn't the intent.

2024-01-16T19:27:41.914499Z

in fact, maven repos have no knowledge of classifiers. It's only the clients that have the convention to append the classifier to the name when deploying or retrieving.

2024-01-16T19:28:05.687159Z

Since a maven repo is really just a remote filesystem.

seancorfield 2024-01-16T19:38:43.669289Z

@alexmiller The core issue is that deps-deploy uploads the JAR file with the name as-is, and <artifact>-standalone-<version>.jar is a perfectly valid filename for Maven/Clojars and matches the artifact and version just fine. So Janet had no idea there was a problem. And since standalone was acting as a classifier -- per @tcrawley’s comment -- you could depend on com.janetacarr/quadtree-cljc$standalone and everything "worked as expected". I created an issue for deps-deploy since that's where this could have been caught, in theory.

seancorfield 2024-01-16T19:39:45.330839Z

(and, yes, Janet's intent would have been to "NOT use a classifier" but that's on deps-deploy to prevent)

Alex Miller (Clojure team) 2024-01-16T19:49:22.595599Z

when you deploy should be specifying a classifier if you expect to use one. and whether you do or not should be in sync with the file name. the maven deploy plugin rewrites the jar file name to ensure these match.

seancorfield 2024-01-16T19:50:07.072479Z

Right and deps-deploy does not which is the issue here.

Alex Miller (Clojure team) 2024-01-16T19:51:13.431359Z

I got that and agree, was repsonding to Toby

seancorfield 2024-01-16T19:52:00.295229Z

I think we're all in agreement at this point 🙂 The maven deploy plugin prevents this footgun.