-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, | Heh, so you are willing to trade "build reproducibility" (for all | projects linked to central repo) for "care about the community"? o.O | | Hrm, please put that on a vote before you do it! | | IF you are talking about putting up "dummy" (depsless, only GAV) POMs: | IMHO, by putting "dummy" poms (without dependency to not screw | existing builds), only ones with GAV, you do not provide any value to | community: OSS projects usually move fast, and will quickly switch to | newer (hopefully fixed) artifacts from central with correct POMs. And | the companies will... heh, they will use some "advanced repo manager" | to solve it ;D The content of such poms is no real value but it stops millions of totally useless requests towards ibiblio and produces longer builds and stupid warnings. So it is more a denial-of-service attack that should be stopped. Look at axis2 with all its dependencies! There is no newer version out and I have about 50-100 useless requests to missing poms per day. My project team has 10 developers so multiply this by ten. I am also using maven for my open-source project. Same result. As ibiblio if you can get a 404 statistic.
When you change the version of one of your dependencies you always have to face the fact that transitive dependencies change. That has nothing to do wheter the earlier version had just a stupid GAV pom or not. Adding a pom with additional dependencies afterwards causes a change of transitive dependencies in projects that did not change anything. Please note that business projects need a config-management where deployment is audit-proof and rebuilding a release on an old tag should still have the same result as it had when the tag was created. As people describe there is a workaround to solve this issue for enterprises but if they dont why should we cause such trouble if there is no need to do so. Ahh - I read your posting again. You were not talking about dependencies in the later added poms but in the next version. So my last paragraph was not directly related to what you were saying... | | IF not, how would you be able to get authoritative data to fill in the | missing POMs? | | Thanks, | ~t~ | | On Jan 28, 2008 7:51 PM, Carlos Sanchez <[EMAIL PROTECTED]> wrote: |> if there's no pom uploaded then you can take 5 minutes of your time |> and provide one. I try to do it for all the ones I use. It can be |> because you care about the community or because you are selfish and |> want your project to be reproducible ;) either way providing a pom |> doesnt take that long |> | Regards ~ Jörg | --------------------------------------------------------------------- | To unsubscribe, e-mail: [EMAIL PROTECTED] | For additional commands, e-mail: [EMAIL PROTECTED] | | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHoOyLmPuec2Dcv/8RAjbqAJ4m22dFzvlNd248uJNICYhc7eUVNQCfWkO1 ZNrRQwYYbbD439sTOJahMM0= =4TsK -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
