I'm having some trouble installing dependencies. I'm getting tons of errors like the one below, but I can navigate to the dep in my browser. It's not isolated to this single package.
Could not transfer artifact org.eclipse.jetty:jetty-security:jar:12.1.8 from/to central ( ): Checksum validation failed, no checksums available
C
I have this in my project.clj
:repositories [["central" {:url " "
:snapshots false}]
["clojars" {:url " "
:snapshots false}]]
I haven't had any issues like this up until today in CI and locally once I nuked my .m2 cache. does anyone know what might be wrong? is this the wrong place to ask?adjusting :mirrors worked for us.
as another datapoint, we also ran into this at $WORK. we only experienced it with lein, across a suite of versions and contexts, but almost entirely on github actions using github-hosted runners (i was able to repro once locally).
it makes me wonder if the CDN is doing some rate limiting based on IP ranges - hence failures are observed mostly on CI - and it has some sort of special treatment for tools (e.g. by user agent) but lein isn't blessed to be a part of them? this is all conjecture, i haven't gone very deep into this
That's an interesting theory - tools.deps currently uses the default user-agent ("Aether", see https://clojurians.slack.com/archives/C6QH853H8/p1775731021527679), whereas lein uses "Leiningen/1.12.0 (Java OpenJDK 64-Bit Server VM; Linux 7.0.4-100.fc43.x86_64; amd64)" (on my machine)
I was able to recreate this with a proxy that captured requests, and it is indeed rate limiting that is the issue (429s from maven central). I think tools.deps does better, as it uses a newer maven dependency-resolver version than the latest released lein, which may have better backoff/retry handling. I just tried with a local install of lein from main, and it succeeded (there is an unreleased upgrade to a newer maven dependency-resolver version via pomegranate).
@technomancy would it be possible to get a release of lein to get ^ out?
This feels similar to https://clojurians.slack.com/archives/C0H28NMAS/p1778355041089649, and makes me think there is a CDN issue somewhere with central or something. It is working fine for me in the southeastern US; where are you located?
Massachusetts
Are all the errors related to checksum validation, or are there other types?
all the errors are either Checksum validation failed, no checksums available or just Could not find artifact. Most are the latter
If it was a cdn issue, shouldn't deps have similar issues?
I would think so, yes. I'm curious if deps is using the old repo url. Can you try using that in your project.clj? It's https://repo1.maven.org/maven2/ (I believe that is still the default that lein uses if you don't provide a :repositories entry). It is the same infrastructure, but maybe the CDN doesn't share a cache between them (a complete guess)?
the issue persists
What version of lein are you using?
I've tried with 2.10.0 and 2.12.0
Anything in ~/.lein/profiles.clj? Do you have the http_proxy env var set?
no on both counts
Any plugins in your project.clj? Has anything changed recently?
I upgraded some deps, but reverting to a previous working state has the same issues. https://github.com/meltzg/pigeon-scoops-backend/blob/main/project.clj my project.clj. This was definitely working the last time it deployed
I just noticed you're marked away. This project is deeply unimportant. I did not mean to interrupt your vacation
It's no problem at all! Using your project.clj, all deps resolve for me using lein deps on one try. Then, rm'ing ~/.m2/repository/, they don't. Then, they did on another try. So it feels like an intermittent issue with maven central.
🙃 thanks for validating I'm not crazy
^Oh yay! Nor am I. 🙃
Same (or eerily similar) issue, lein 2.10.0.
Some checksum validation errors, some "Could not find artifact", some "Could not transfer artifact"... lots of noise.
I'm afraid I cannot share my project.clj as private work repo, but just wanted to corroborate, at least.
All good from a warm .m2, only seeing problems when the cache is cold.
yeah. I wasn't caching in CI, so it was always cold. My project is just a small pet project, so I switched to deps.edn
For any weary travellers (and @gregory.m.meltzer, if you miss lein already 😄):
Adding this (or https://maven.apache.org/guides/mini/guide-mirror-settings.html#:~:text=A%20list%20of%20known%20mirrors%20is%20available%20in%20the%20Repository%20Metadata.%20These%20mirrors%20may%20not%20have%20the%20same%20contents%20and%20we%20don%27t%20support%20them%20in%20any%20way.) to :repositories in project.clj seems to do the trick:
"central-google" {:url " " :snapshots false}
Note though that the https://maven.apache.org/guides/mini/guide-mirror-settings.html#:~:text=A%20list%20of%20known%20mirrors%20is%20available%20in%20the%20Repository%20Metadata.%20These%20mirrors%20may%20not%20have%20the%20same%20contents%20and%20we%20don%27t%20support%20them%20in%20any%20way. warn, "These mirrors may not have the same contents and we don't support them in any way."@tcrawley I can see about that, yeah. so the difference is in how it reacts to rate limiting?
I think so. I haven't looked at the resolver code, but lein from main seems to succeed eventually, where 2.12.0 fails to download all the dependencies when rate-limited.
I might try to get https://codeberg.org/leiningen/leiningen/issues/109 included in the next release
it should be relatively quick, and nice to have
Maven Central is definitely rate limiting. They added info about it to their 429 page: https://central.sonatype.org/faq/429-error/
Alex posted more details here: https://clojurians.slack.com/archives/C06MAR553/p1778795662104229?thread_ts=1778794576.833989&channel=C06MAR553&message_ts=1778795662.104229
all the artifacts resolve and download fine if I use deps.edn