Re: Auditing version ranges
On 2017-08-15T13:23:17 + Thomas Broyerwrote: > Maven Enforcer Plugin's Require Upper Bound Dependencies might be enough > for your use-case (also notice there's a Require Release Dependencies rule > to prohibit snapshot dependencies) > http://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html Thanks, didn't see that one. I'll give it a shot. -- Mark Raynsford | http://www.io7m.com pgpx3h6jMru7m.pgp Description: OpenPGP digital signature
Re: Auditing version ranges
Maven Enforcer Plugin's Require Upper Bound Dependencies might be enough for your use-case (also notice there's a Require Release Dependencies rule to prohibit snapshot dependencies) http://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html Le mar. 15 août 2017 12:06, Mark Raynsforda écrit : > Hello. > > I've recently been considering moving to byte-for-byte reproducible > builds of my software packages. It seems fairly easy to get there via > plugins such as the reproducible-build-maven-plugin [0] as long as the > build isn't otherwise unreproducible, but one thing that I am unsure of > is whether or not it's possible to detect and fail the build if a > (transitive) dependency is using version ranges. > > For example, if I declare a dependency on a package P and P declares a > dependency on Q using a version range, then my build is effectively > nondetermimistic (because a new version of Q may appear at any time). > As a consumer of P, I may be totally unaware of Q and therefore won't > know to override the versions of Q in my own dependencyManagement > section. > > Is there a plugin that can reject the use of version ranges anywhere in > the transitive dependency tree? > > I'm currently using scijava's plugin to reject snapshot versions [1], > and am using the dependency plugin to fail builds with undeclared > dependencies. > > [0] https://github.com/Zlika/reproducible-build-maven-plugin > [1] https://github.com/scijava/scijava-maven-plugin > > -- > Mark Raynsford | http://www.io7m.com >
Auditing version ranges
Hello. I've recently been considering moving to byte-for-byte reproducible builds of my software packages. It seems fairly easy to get there via plugins such as the reproducible-build-maven-plugin [0] as long as the build isn't otherwise unreproducible, but one thing that I am unsure of is whether or not it's possible to detect and fail the build if a (transitive) dependency is using version ranges. For example, if I declare a dependency on a package P and P declares a dependency on Q using a version range, then my build is effectively nondetermimistic (because a new version of Q may appear at any time). As a consumer of P, I may be totally unaware of Q and therefore won't know to override the versions of Q in my own dependencyManagement section. Is there a plugin that can reject the use of version ranges anywhere in the transitive dependency tree? I'm currently using scijava's plugin to reject snapshot versions [1], and am using the dependency plugin to fail builds with undeclared dependencies. [0] https://github.com/Zlika/reproducible-build-maven-plugin [1] https://github.com/scijava/scijava-maven-plugin -- Mark Raynsford | http://www.io7m.com pgpMS8Kfc0KU6.pgp Description: OpenPGP digital signature