Skip to content

Fix wrong distribution URL output in only-script on some Unix systems #373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix wrong distribution URL output in only-script on some Unix systems #373

wants to merge 1 commit into from

Conversation

idiotcult
Copy link

tl;dr: moves output of distribution URL in only-script mode on Unix to after its final determination

Executing mvnw with the following config (correct distributionSha256Sum for the specified .zip file) on a Linux system without the unzip command not only fails because the .tar.gz file is downloaded as a fallback (see #285 for that) but also produces wrong logs when debugging with MVNW_VERBOSE=true:

wrapperVersion=3.3.4
distributionType=only-script
distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.11/apache-maven-3.9.11-bin.zip
distributionSha256Sum=0d7125e8c91097b36edb990ea5934e6c68b4440eef4ea96510a0f6815e7eeadb

The logs (using a Fedora container as an example of a distro without unzip) look like this:

$ MVNW_VERBOSE=true ./mvnw clean
Couldn't find MAVEN_HOME, downloading and installing it ...
Downloading from: https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.11/apache-maven-3.9.11-bin.zip
Downloading to: /tmp/tmp.dmwRYtbt0C/apache-maven-3.9.11-bin.zip
Found curl ... using curl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time   Current
                                 Dload  Upload   Total   Spent    Left   Speed
100 9060k  100 9060k    0     0  100.0M     0 --:--:-- --:--:-- --:--:-- 100.0M
Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised.
If you updated your Maven version, you need to update the specified distributionSha256Sum property.

Nothing in this log indicates that the .tar.gz file was downloaded instead of the .zip file. Line 3 and 4 even wrongly state the exact oposite. This does not help in realizing a fallback file was actually fetched for which the (otherwise possibly correct) distributionSha256Sum does not match.

This happens because the verbose messages are output immediately before the availability of unzip is determined and a fallback distribution URL and download path are possibly set. Switching the order of output and check would greatly improve comprehensibility when trying to figure out what actually went wrong in the already convoluted scenario outlined above.

Following this checklist to help us incorporate your
contribution quickly and easily:

  • Your pull request should address just one issue, without pulling in other changes.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Each commit in the pull request should have a meaningful subject line and body.
    Note that commits might be squashed by a maintainer on merge.
  • Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied.
    This may not always be possible but is a best-practice.
  • Run mvn verify to make sure basic checks pass.
    A more thorough check will be performed on your pull request automatically.
  • You have run the integration tests successfully (mvn -Prun-its verify).

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

@slachiewicz slachiewicz requested a review from Copilot October 2, 2025 18:57
@slachiewicz slachiewicz added the bug Something isn't working label Oct 2, 2025
Copilot
Copilot AI reviewed Oct 2, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes incorrect verbose logging in the Maven Wrapper's only-script mode on Unix systems. The issue occurs when the unzip command is not available, causing the script to fall back to downloading a .tar.gz file instead of the originally specified .zip file, but the verbose logs still show the original .zip URL.

  • Moves verbose logging statements to occur after the distribution URL fallback logic
  • Ensures accurate logging when debugging with MVNW_VERBOSE=true

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@slachiewicz slachiewicz slachiewicz approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@idiotcult @slachiewicz