The spec file refers to http URLs like http://repo1.maven.org/maven2/org/apache/apache-resource-bundles/ that now return "501 HTTPS Required". Replacing http with https works fine. The POM files referred to in Source0, Source2, Source4 and Source6 are tracked in Git, but apparently have not been uploaded to the lookaside cache: | [tim@passepartout ~/src/fedora/rpms/apache-resource-bundles]$ rm -f *.pom && fedpkg sources && LANGUAGE=en_GB.UTF-8 git status | On branch rawhide | Your branch is up to date with 'origin/rawhide'. | Changes not staged for commit: | (use "git add/rm <file>..." to update what will be committed) | (use "git restore <file>..." to discard changes in working directory) | deleted: apache-incubator-disclaimer-resource-bundle-1.1.pom | deleted: apache-jar-resource-bundle-1.4.pom | deleted: apache-license-header-resource-bundle-1.1.pom | deleted: apache-resource-bundles-2.pom | no changes added to commit (use "git add" and/or "git commit -a") | [tim@passepartout ~/src/fedora/rpms/apache-resource-bundles]$ They should be removed in Git, added to .gitignore and uploaded to the lookaside cache (the content in Git is identical to the upstream sources listed in the spec file).
I've fixed all maven central links with HTTPS as I updated the packages, it looks like I just haven't touched that package in a while (or ever). I'll update the URLs once I need to. (But if they bother you, feel free to send a PR to fix them.) It's also not required to upload plain-text sources to the lookaside cache (only for binary files, such as compressed tarballs). Since .pom files are just plain-text XML, committing them to git is just fine.