does tools.deps use maven repositories specified in the pom of dependencies?

We have a library which wraps a Java library which is in its own maven repo (not on central or clojars). I thought it would be enough to point to that repo in our pom like this: https://github.com/lambdaisland/witchcraft/blob/main/pom.xml#L91-L95 but seems that isn't working

There was something in the recent release notes about this

Not in the changelogs, I wonder where I read it, if I recall the gist of it is no, tools deps won't use repos specified in deps, and I believe the reasoning was to avoid potential supply chain attacks

The changelog does link to this cve https://maven.apache.org/docs/3.8.1/release-notes.html

@plexus Yup, if you depend on something that is pulling its dependencies from "non-standard" repos, you need to list those explicitly in your own deps.edn for the reasons that @hiredman mentioned.

thanks, that's good to know

I have in my deps.edn a set of custom mvn/repos for our company S3 bucket containing jars.

(confirming that having custom mvn/repos does work totally fine 🙂 )

Is there a way to gain control over the way deps are downloaded? I'm living in the woods without high-speed internet and starting a new project often takes dozens of retries over several days. This happens because most downloads end up failing, even after seemingly gathering significant packages which are presumably "cleaned up" when it fails. Is there any way I could change this behavior, or work around it?

Dependencies downloaded are cached in your local maven repository, and as long as the entire package successfully downloaded, it wouldn't be requested from the server again as long as you are requesting the same version.

Ah, so when it appears that one is "done", that really just means that it started

The message for a dependency being downloaded occurs when the request is initiated to my understanding

there are two messages if you look closely - one for the metadata (.pom) used during dependency expansion, and one for the jar artifact itself

there is a control for the number of concurrent download threads and you might be better off with less concurrency, so you could try -Sthreads 1 to get that

Oh cool, thanks I'll try that :)

You shouldn't be re-downloading things either, once downloaded they are cached in ~/.m2 , if you are using something like docker be sure to store that persistently some way

What I really want is the ability to download them like torrents, or youtube-dl

Is it possible to download artifacts from maven repos using rsync?

find a remote host with good bandwidth, run

clj -Sdeps '{:deps ...}' -Spath

Some maven repos do have rsync open. clojars used to.

Oh I get it... that's a great idea! Thank you.