On 25 April 2012 08:39, Matthias Pfau <p...@l3s.de> wrote: > Hi there, > yesterday, we noticed that cassandra is currently published with > inconsistent dependencies. The inconsistencies exist between the published > pom and the published distribution (tar.gz). > > This is a serious issue for us as we are using pom dependencies for > development/testing and a tarball distribution for production. > > I have read > https://issues.apache.org/**jira/browse/CASSANDRA-850<https://issues.apache.org/jira/browse/CASSANDRA-850>and > understood that you version all runtime dependencies in lib/ because > you have to update license files manually and therefore see no benefit in > using ivy. >
Not using ivy any more, switched to Maven ANT tasks.... but same difference. > > However, I would like to make the following proposals for solving the > described issue: > a.) don't put everything from lib/ on the compile classpath but rather > each library individually. Extract the versions into constants that are > used to put the jars from lib/ onto the classpath and to generate a > consistent pom. > Makes some occasionally invalid assumptions about lib folder versioning and maven repo versioning. > b.) go a step back and don't version any jars in lib/ but automate the > retrieval of license files (would do this for you, if needed) > I'd be interested in seeing what reaction you get to this... I suggested it a while back, but got nowhere > c.) create a fat-jar of all dependencies or relabel all dependencies and > publish them to the maven repo, too > God no. not c) > > What do you think? > > I am also interested in knowing what you do to workaround this problem! > And if it is not a problem for you, please tell me why... > Every so often, I get some cycles free and I check the pom for being valid and push patches to the C* devs. I haven't had many cycles in the 1.0.x suite of releases. the 0.8.x set should be fairly close, I think only 1 or 2 releases escaped with different dependencies. Also, for 1 or 2 dependencies, they are exactly the same but the checksums differ due to timestamp changes, a deep diff of the bytecode reveals that the dependencies are effectively the same. Due to having bigger fish to fry, for those deps I have not bothered fighting to get the lib version changed. In general, maintaining the pom is something that can fall off the C* devs radar... in part because some of the devs are not interested in generating poms (I suspect as a result of being burned by some of the woefully bad maven builds I have seen some people force on people [virtually looks at co-worker and shakes head]) and in part because most of the devs are not "Maven" people and so do not fully grok the pom itself. I will take a quick look and see if I can push a patch, sylvain or jonathan are usually happy to apply them for me. > > Kind regards > Matthias >
