Missing source artifacts for starters

[Christian-Schmid]

Hi,

I noticed that for some sub projects starting the release 2.1.0 there are no longer the -sources.jar artifacts published to the maven repository.

Example (still present):
https://repo.spring.io/release/org/springframework/boot/spring-boot-starter-validation/2.0.9.RELEASE/

Example new version (not present anymore):
https://repo.spring.io/release/org/springframework/boot/spring-boot-starter-validation/2.1.0.RELEASE/

As I couldn't find anything in the release notes indicating that you no longer want to publish them, and furthermore I'm a huge fan of source jars, I kindly ask if it was intended to remove those.

Thanks
Chris

[snicoll]

A starter has no code at all so it doesn't make sense to publish a source jar for it. I can see that jars that have actual source code in them are still published.

Am I missing something?

[philwebb]

I'm surprised we managed to pass the oss.sonatype repository publishing rules. I thought source jars were always required. I don't think removing them was intentional.

[spencergibb]

I don't think pom artifacts require sources.

[philwebb]

They're not POM artifacts.

[spencergibb]

Ah, interesting.

[wilkinsona]

Both source and javadoc jars are listed in the requirements where it also says the following:

If, for some reason (for example, license issue or it's a Scala project), you can not provide -sources.jar or -javadoc.jar, please make fake -sources.jar or -javadoc.jar with simple README inside to pass the checking. We do not want to disable the rules because some people tend to skip it if they have an option and we want to keep the quality of the user experience as high as possible.

It looks like the rules have been disabled after all or they're not working as intended.

[wilkinsona]

2.0.x wasn't compliant either. It has -sources.jar files but not -javadoc.jar files.

[snicoll]

I don't think removing them was intentional.

Agreed. My best guess is that they got removed when we removed the only file the starter provides (META-INF/spring.provides).

We can put fake sources and javadoc jars but it would be worth checking with Sonatype. I'd like to understand why @Christian-Schmid care or if other sources might be missing (with actual sources in them).

[Christian-Schmid]

Hi,
thanks for the quick response!

We're using spring boot to build our application and are currently migrating to 2.1*.
To make sure we comply with Open Source obligations we're using Sonatype CLM to scan our application.
With the new version the scan raises some errors.
Digging into the problem I found that the root cause was that the jars are not longer in maven repository available.
As other spring boot users in corporations probably use the same tooling, I raised the ticket here to have avoided that everyone has to cope with their findings on their own :-)

Btw: I've got errors for the following other artifacts:

• org.springframework.boot : spring-boot-starter : 2.1.5.RELEASE
• org.springframework.boot : spring-boot-starter-actuator : 2.1.5.RELEASE
• org.springframework.boot : spring-boot-starter-json : 2.1.5.RELEASE
• org.springframework.boot : spring-boot-starter-logging : 2.1.5.RELEASE
• org.springframework.boot : spring-boot-starter-security : 2.1.5.RELEASE
• org.springframework.boot : spring-boot-starter-tomcat : 2.1.5.RELEASE
• org.springframework.boot : spring-boot-starter-web : 2.1.5.RELEASE
• org.springframework.boot : spring-boot-starter-validation : 2.1.5.RELEASE

Thanks
Chris