On Mon, Sep 29, 2025 at 7:09 PM Romain Manni-Bucau <[email protected]> wrote: >
> I'm mixed cause this stays a challenge cause you do not handle most of the > gav still. I'm not sure what your point is. Most artifacts won't and shouldn't be touched by this approach. Of those that are, more can be added once we stop bikeshedding on exactly how to do this, roll up our sleeves, and get to work. If this PR had been approved when first submitted, we'd be pretty close to done by now. We started with something like 100 problems. I fixed one so we're down to ~99. Merge this and we're at 98. Every one we fix is an improvement, whether we fix the others or not. Delaying isn't helping. > I'm also mixed about it cause it also creates bugs. > Take you jsonp example, add johnzon as impl....and your exclusion should > trigger the current bug cause the impl used is no more glassfish one > (hardcoded one) but johnzon thanks the SPI overriding. Bugs are not created equal. Almost every warning for this dependency is a false positive that wastes developers' time and attention and teaches them to ignore or turn off dependency analysis. Hypothetically there might somewhere be a true positive, but even if we convert that one true positive into a false negative, it's not a big deal. Someone has one extra unused dependency. The code still works. It is far more important to make sure that all emitted warnings are accurate and actionable than to make sure we warn about everything that might be a minor problem with some very low probability. -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
