RubyGems.org v1 dependency API deprecation #8
Comments
|
Hello, Thank! |
|
@Axel-1 Sorry for the late reply. The RubyGems servers have whitelisted our use of this API from around mid-May until mid-August. We still need to update the plugin for the new API and get a release out (ASAP). |
This is the big drop to get all the major features working properly atop the v2 and compact index APIs rather than the now- defunct v1 dependencies API. I was guessing my way through this codebase a bit but the new APIs are hooked up as follows: * The v1 dependencies API (dependencies?gems=foo,bar) has been mostly replaced with the compact index API. This API provides all versions of one specified gem. Any features that depend on the dependencies API to get multiple gems at once are still broken and will need to iterate over all given gems using the compact index. * The creation of gemspecs and poms from the old gzipped spec format has been moved to the v2 gem info API. All tests are passing in mavengem-protocol, which only depends on features like poms and gems, all of which have been moved to the new APIs. This is close to addressing jruby#8.
Group ID is changed to "com.headius" because I do not have push privileges for "org.torquebox.mojo". Inter-library dependencies switched to use "com.headius" for snapshot deploy, but build still uses the previous release of mavengem extension (did not seem to like me using snapshot extensions from the same project, or at least refused to resolve them. maven-tools updated to latest to fix a bug in gem logic that tried to gsub! on an empty string that now appears to be coming in frozen: jruby/maven-tools@1188743#diff-e4394efc5b28617f42311627dd8af1193c01d1a39b939959085c6836f3e9e5b7R149 With these changes, I have successfully been able to: * Deploy 1.0.4-SNAPSHOT versions of all three artifacts * Show JRuby build failing with a patched 1.0.3 that uses a non-"Java" User-Agent when contacting rubygems.org (causing the v1 deps API to reject requests and gems fail to resolve. * Show JRuby build working with the same User-Agent patch but the new logic to use v2 and compact APIs. Nearly complete solution for jruby#8 but not all features in rubygems-tools are updated and not all v1 deps API and gz data file uses have been purged yet.
|
An update on this: I have in #9 managed to wire up the v2/rubygems API and part of the compact index API used by bundler to replace most of the uses of the v1/dependencies API. The changes are nearly all in rubygems-tools, which is where the bulk of the integration code lives. All tests in mavengem-protocol and mavengem-wagon pass with the new code. Most tests pass in rubygems-tools; the known failures are due to the "bundler API" features and other API endpoints still dependent on getting multiple gems' worth of data using the form I confirmed that the new mavengem works with the disabled v1/dependencies API by doing the following:
So in a pinch, we could do a release with the known issue that the "bundler API" feature is temporarily broken. That would ensure JRuby and other mavengem users can still resolve dependencies past the August 8 shut-down of the v1/dependencies API. Note we have moved this library from the "org.torquebox.mojo" group ID to the "org.jruby.maven" group ID. Torquebox is defunct now and we do not have push rights to that group anyway. Going forward, mavengem maintenance is done by the JRuby team. |
This makes the following changes: * de.saumya.mojo maven group ID changes to org.jruby.maven in all published artifacts * mavengem is used for all gem retrieval instead of the defunct TorqueBox proxy server * mavengem and related dependencies are now sourced from the org.jruby.maven 2.0.0 versions * minor additional changes to get tests passing with the new artifacts This passes all unit and integration tests and deploys successfully as org.jruby.maven:jruby-maven-plugins:3.0.0-SNAPSHOT and should now be immune to the v1/dependencies rubygems.org API shutdown (jruby/mavengem#8).
This makes the following changes: * de.saumya.mojo maven group ID changes to org.jruby.maven in all published artifacts * mavengem is used for all gem retrieval instead of the defunct TorqueBox proxy server * mavengem and related dependencies are now sourced from the org.jruby.maven 2.0.0 versions * minor additional changes to get tests passing with the new artifacts This passes all unit and integration tests and deploys successfully as org.jruby.maven:jruby-maven-plugins:3.0.0-SNAPSHOT and should now be immune to the v1/dependencies rubygems.org API shutdown (jruby/mavengem#8).
This makes the following changes: * de.saumya.mojo maven group ID changes to org.jruby.maven in all published artifacts * mavengem is used for all gem retrieval instead of the defunct TorqueBox proxy server * mavengem and related dependencies are now sourced from the org.jruby.maven 2.0.0 versions * minor additional changes to get tests passing with the new artifacts This passes all unit and integration tests and deploys successfully as org.jruby.maven:jruby-maven-plugins:3.0.0-SNAPSHOT and should now be immune to the v1/dependencies rubygems.org API shutdown (jruby/mavengem#8).
|
Resolved by #9. |
We learned recently that the v1 version of the dependency-lookup API on RubyGems.org was deprecated on February 23, slated for complete removal on (at time of writing) May 10.
This API is used by the mavengem plugin to fetch a list of dependencies for gem artifacts, and is critical to this plugin. When the API goes away–if we are unable to update, test, and release a new version of mavengems–JRuby's build and any downstream builds that fetch Ruby gems as Maven dependencies will cease to function.
I have joined an issue here, basically begging for more time to make this transition: rubygems/rubygems.org#3698 (comment)
This came to our attention, finally, due to the intermittent "brown outs" that RubyGems.org has deployed in the last month. That led to a revival of this jruby-maven-plugins issue: jruby/jruby-maven-plugins#124 (comment)
Had we noticed the original deprecation blog post two months ago we might have had time to make this transition. Now, with only 8 days left and a major Ruby conference coming up (RubyKaigi on the 11th), I don't see how we can fix this before the API shuts down altogether.
I am begging the RubyGems.org maintainers for additional time to make this transition. Meanwhile we need to move quickly to try to fix our uses of the deprecated API (and make sure we're not using any others).
The text was updated successfully, but these errors were encountered: