Hello. I've recently been considering moving to byte-for-byte reproducible builds of my software packages. It seems fairly easy to get there via plugins such as the reproducible-build-maven-plugin [0] as long as the build isn't otherwise unreproducible, but one thing that I am unsure of is whether or not it's possible to detect and fail the build if a (transitive) dependency is using version ranges.
For example, if I declare a dependency on a package P and P declares a dependency on Q using a version range, then my build is effectively nondetermimistic (because a new version of Q may appear at any time). As a consumer of P, I may be totally unaware of Q and therefore won't know to override the versions of Q in my own dependencyManagement section. Is there a plugin that can reject the use of version ranges anywhere in the transitive dependency tree? I'm currently using scijava's plugin to reject snapshot versions [1], and am using the dependency plugin to fail builds with undeclared dependencies. [0] https://github.com/Zlika/reproducible-build-maven-plugin [1] https://github.com/scijava/scijava-maven-plugin -- Mark Raynsford | http://www.io7m.com
pgpMS8Kfc0KU6.pgp
Description: OpenPGP digital signature
