[SRU] Maven 3.6.3-1 fails to run with OpenJDK 17

Status changed to 'Confirmed' because the bug affects multiple users.

Now that Ubuntu 20.04 LTS provides the OpenJDK 16 package in the updates pocket (since May 10, 2021), it would be great to have the fix in Ubuntu Maven 3.6.3-2 back-ported to Ubuntu 20.04. I'm working around the problem by installing a local copy of Maven 3.8.1 directly from Apache.

$ apt-cache policy openjdk-16-jdk
openjdk-16-jdk:
  Installed: 16.0.1+9-1~20.04
  Candidate: 16.0.1+9-1~20.04
  Version table:
 *** 16.0.1+9-1~20.04 500
        500 http://ca.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages
        100 /var/lib/dpkg/status

Without the fix, installing OpenJDK 16 breaks Maven.

This is a blocker for using JDK 16 (release 16 March 2021) along with Maven on 20.04.

This will also be a blocker for the next LTS Java 17 release in September 2021

Is there any assistance I can provide to move this forward?

Please fix it ASAP!

This might be a solution from the Debian folk:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948310

The upstream fix from Debian requires guice >=4.2.3 and, implicitly, a newer version of guava (Debian repo has 29.0). The current available versions in Ubuntu 20.04 are guice 4.2.1 and guava 19.0, so both of these package updates will have to be backported.

Attempting to build maven 3.6.3 with the changes described by the commit in the upstream bug report (https://salsa.debian.org/java-team/maven/-/commit/48fb5b2ae0dcd860d61e4b258d60fcee03d2713c) resulted in maven packages that were missing some required "Depends" declarations, for example libcommons-cli-java and libgeronimo-annotation-1.3-spec-java. These are listed as "Build-Depends" and installing them does allow maven to run on Java 16+.

Hopefully there is some useful info here for the maintainers.

Can we expect a fix? Java 17 is a LTS release, so a working version of Maven would be very helpful. Or do we have to wait half a year for Ubuntu 22.04 to arrive? Thanks!

Any update on this? Do I have to upgrade to Ubuntu 22.04 or is there hope for a fix in Ubuntu 20.04?

Just updating that is is still an issue in 2023, with 20.04.6

The debdiffs for Maven and maven-resolver are in bug #1922654.

Guice that produces no AOP artifact.

Maven that uses no aop guice artifacts

Tested with PPA: ppa:vpa1977/maven-sru-2[1]

[1] https://launchpad.net/~vpa1977/+archive/ubuntu/maven-sru-2/+packages

piuparts test

piuparts test: upgrade to jammy

Build Java 17 project

Build sample maven projects with available openjdk-* packages

Luis, the debdiff you attached seems to have some encoding problems with your name:

"Luís Infante da Câmara"

That string was used as-is in the uploaded package:

guice (4.2.1-1ubuntu0.1~20.04) focal; urgency=medium

  [ Luís Infante da Câmara ]
  * Build and install the no_aop artifact required for Maven (LP: #1930541).

 -- Vladimir Petko <email address hidden> Fri, 20 Oct 2023 21:25:32 +1300

Would you like that encoding fixed? It's also broken in the maven changes file, but ok in the actual changelog:
maven (3.6.3-1ubuntu0.1~20.04) focal; urgency=medium

  * Use no AOP guice library in line with upstream (LP: #1930541).

    [ Luís Infante da Câmara ]
    - debian/maven.links: use no AOP version of guice library.

    [ Vladimir Petko ]
    - debian/control: require updated guice library that produces
      the no AOP artifact.

 -- Vladimir Petko <email address hidden> Fri, 20 Oct 2023 21:39:47 +1300

While we are on the d/changelog topic, why the ~20.04 suffix in the version? This doesn't look like a backport, and the upgrade path looks sane without it:

guice | 3.0-3 | trusty/universe | source
guice | 4.0-2 | xenial/universe | source
guice | 4.0-4 | bionic/universe | source
guice | 4.2.1-1 | focal/universe | source
guice | 4.2.1-1ubuntu0.1~20.04 | focal/unapproved/34d39c0 | source
guice | 4.2.3-2 | jammy/universe | source
guice | 4.2.3-2 | lunar/universe | source
guice | 4.2.3-2 | mantic/universe | source
guice | 4.2.3-2 | noble/universe | source

maven | 3.0.5-1 | trusty/universe | source
maven | 3.3.9-3 | xenial/universe | source
maven | 3.5.2-2 | bionic/universe | source
maven | 3.6.0-1~18.04.1 | bionic-security/universe | source
maven | 3.6.0-1~18.04.1 | bionic-updates/universe | source
maven | 3.6.3-1 | focal/universe | source
maven | 3.6.3-1ubuntu0.1~20.04 | focal/unapproved/cdbd035 | source
maven | 3.6.3-5 | jammy/universe | source
maven | 3.8.7-1 | lunar/universe | source
maven | 3.8.7-1 | mantic/universe | source
maven | 3.8.7-1 | noble/universe | source

Fix encoding and drop backport suffix

Drop backport suffix

Thank you!!! I've corrected the encoding and checked the changes file, now changelog entry there appears correct:
----
 guice (4.2.1-1ubuntu0.1) focal; urgency=medium
 .
   [ Luís Infante da Câmara ]
   * Build and install the no_aop artifact required for Maven (LP: #1930541).

 maven (3.6.3-1ubuntu0.1) focal; urgency=medium
 .
   * Use no AOP guice library in line with upstream (LP: #1930541).
 .
     [ Luís Infante da Câmara ]
     - debian/maven.links: use no AOP version of guice library.
 .
     [ Vladimir Petko ]
     - debian/control: require updated guice library that produces
       the no AOP artifact.
----

Hello Manuel, or anyone else affected,

Accepted maven into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/maven/3.6.3-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Manuel, or anyone else affected,

Accepted guice into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/guice/4.2.1-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Please also update the [test plan] and add the other test script from [Where problems could occur] which tests a build with other versions of java.

I sponsored and self-accepted the new uploads, since they only contain changes to d/changelog.

Based on https://wiki.ubuntu.com/Testing/EnableProposed I've updated maven and guice (which was libguice-java):

sudo apt-get install maven/focal-proposed
sudo apt-get install libguice-java/focal-proposed

And finally _I could compile Java 17 app on my PC_.

Build quizzes-tutor project with Java 17 (OK)

Build maven examples project using all available JDKs in focal (OK)

I have updated the test scripts and ran then using focal-proposed, all tests pass

Which tests were run exactly please? The ones specified in the Test Plan above, or some other unspecified tests? What versions of guice and maven were tested? What versions of openjdk were they tested against?

The instructions we provide say:

> ...please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal

In this case there are a lot of packages and versions floating about, so there is plenty of opportunity to for ambiguity to lead to releasing something insufficiently tested. So please state unambiguously what you tested and how you tested it, and only then flip the tags back.

This action blocks the release of these updates.

Considering why the bug existed in the first place, it looks like this was a situation created when openjdk-17 was added as a new package to focal-updates. Given that we consider the bug valid and worth fixing, it is therefore a regression created by that upload. This matters, because we should have fixed maven and guice at the same time, and this suggests that our ongoing process for openjdk updates should include testing maven and guice but apparently we are not. I could not find any documentation that details what QA is being performed on these packages before upload.

Anyway, since it was a regression and action is required to prevent a recurrence, I'm flagging it as such, including to the security team since it was a security upload.

> Which tests were run exactly please? The ones specified in the Test Plan above, or some other unspecified tests? What versions of guice and maven were tested? What versions of openjdk were they tested against?

I have ran test scripts in the test plan.
First script `quizzes-tutor` builds the project that failed to build in the original bug description.
Second `examples-test` builds common project types using all openjdk versions available in the archive.

The test logs are available in the comments [1][2][3]

The maven version tested as shown in the logs:
- maven all 3.6.3-1ubuntu0.1

Guice version tested as shown in the logs:
- libguice-java all 4.2.1-1ubuntu0.1

OpenJDK versions tested as shown in the logs:
- openjdk-8-jdk-headless amd64 8u392-ga-1~20.04
- openjdk-11-jdk-headless amd64 11.0.21+9-0ubuntu1~20.04
- openjdk-13-jdk-headless amd64 13.0.7+5-0ubuntu1~20.04
- openjdk-16-jdk-headless amd64 16.0.1+9-1~20.04
- openjdk-17-jdk-headless amd64 17.0.9+9-1~20.04
- openjdk-21-jdk-headless amd64 21.0.1+12-2~20.04.1

Regarding regression:
 - I believe that maven sanity test should be added to autopkgtests of openjdk packages to ensure that development environment remains in working order. See LP: #2016437

[1] https://bugs.launchpad.net/ubuntu/+source/guice/+bug/1930541/comments/29
[2] https://bugs.launchpad.net/ubuntu/+source/guice/+bug/1930541/comments/30
[3] https://bugs.launchpad.net/ubuntu/+source/guice/+bug/1930541/comments/34

build-examples test with Java 21 (OK)

This bug was fixed in the package guice - 4.2.1-1ubuntu0.1

---------------
guice (4.2.1-1ubuntu0.1) focal; urgency=medium

  [ Luís Infante da Câmara ]
  * Build and install the no_aop artifact required for Maven (LP: #1930541).

 -- Vladimir Petko <email address hidden> Fri, 20 Oct 2023 21:25:32 +1300

This bug was fixed in the package maven - 3.6.3-1ubuntu0.1

---------------
maven (3.6.3-1ubuntu0.1) focal; urgency=medium

  * Use no AOP guice library in line with upstream (LP: #1930541).

    [ Luís Infante da Câmara ]
    - debian/maven.links: use no AOP version of guice library.

    [ Vladimir Petko ]
    - debian/control: require updated guice library that produces
      the no AOP artifact.

 -- Vladimir Petko <email address hidden> Fri, 20 Oct 2023 21:39:47 +1300

The verification of the Stable Release Update for guice has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

That was a perfect SRU verification comment and stated exactly what I needed to verify. Thank you!