This is wrong Elliotte, your fix breaks others - see the example I gave, basically any time an user doesn't use the RI - which is common - your fix is wrong.
> It is far more important to make sure that all emitted warnings are accurate and actionable than to make sure we warn about everything that might be a minor problem with some very low probability. This is right and the reason your PR doesn't work. A compromise if you do not want to implement a complete fix is to add a bucket "uncertain" in the output and let the user configure exclusions but like this, this doesn't look mergeable to me without a real rework if you want to keep the mojo valuable. Le mar. 30 sept. 2025 à 13:23, Elliotte Rusty Harold <[email protected]> a écrit : > On Mon, Sep 29, 2025 at 7:09 PM Romain Manni-Bucau > <[email protected]> wrote: > > > > > I'm mixed cause this stays a challenge cause you do not handle most of > the > > gav still. > > I'm not sure what your point is. Most artifacts won't and shouldn't be > touched by this approach. Of those that are, more can be added once we > stop bikeshedding on exactly how to do this, roll up our sleeves, and > get to work. If this PR had been approved when first submitted, we'd > be pretty close to done by now. We started with something like 100 > problems. I fixed one so we're down to ~99. Merge this and we're at > 98. Every one we fix is an improvement, whether we fix the others or > not. Delaying isn't helping. > > > > I'm also mixed about it cause it also creates bugs. > > Take you jsonp example, add johnzon as impl....and your exclusion should > > trigger the current bug cause the impl used is no more glassfish one > > (hardcoded one) but johnzon thanks the SPI overriding. > > Bugs are not created equal. Almost every warning for this dependency > is a false positive that wastes developers' time and attention and > teaches them to ignore or turn off dependency analysis. Hypothetically > there might somewhere be a true positive, but even if we convert that > one true positive into a false negative, it's not a big deal. Someone > has one extra unused dependency. The code still works. > > It is far more important to make sure that all emitted warnings are > accurate and actionable than to make sure we warn about everything > that might be a minor problem with some very low probability. > > -- > Elliotte Rusty Harold > [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
