Coach Thrasher

TTL of Maven Repositories?

While building Spring Security 2.0.2 from their SVN tag I ran into what is increasingly becoming a major Maven annoyance. Namely, access to or maintenance of public Maven repositories is becoming problematic. They don't seem to be maintained, and when they are broken, many OSS projects aren't fixing references to them.

Spring Security, on the 2.0.2 SVN tag, won't build because it can't find the appropriate JetS3t. This is because the JetS3t jar doesn't exist where it once did. While I had no idea where it once lived, even the JetS3t Downloads page has incorrect instructions to find it: the referenced Maven repository URL doesn't seem to reference a valid S3 bucket. Maybe someone stopped paying the S3 bills?

So, while I was trying to update my JCaptcha code for AppFuse, I couldn't build the main Spring Security tree, nor the sandbox/captcha module required for JCaptcha. What a pain in the butt. Now I had to hunt down the correct version of the JetS3t jar to get Spring Security to build.

It turns out there's an interesting S3 based storage service called S3Browse that links to what appears to be a mirror of the former JetS3t maven repo path here: http://s3browse.com/explore/maven.springframework.org/external/. It's a bit shady because the jar isn't coming from the JetS3t file's owner, and I have no idea what's compiled into the version sitting on S3browse. Considering S3Browse's homepage doesn't seem to have been updated since 2007, I'm skeptical the link will live long.

So that begs the question: whats the time to live of OSS Maven repositories? I have faith Apache's will stick around, but there seems to be an opportunity for a repo-aggregator here to suck up the slack.

Posted at 10:43PM Jun 12, 2008 by jason in Software  |