Grzegorz Kossakowski wrote:
I would suggest to read my mail once again. The problem is that
ClassNotFoundException will not be thrown.
Let's assume me have A, B, C:
A depends on B and dependency is declared in A's pom
B depends on C and dependency is declared in B's pom
A depends on C but dependency is not declared in A's pom
Now A's dependency on C will be satisfied by transitive dependency. However,
transitive dependencies are really
vulnerable to the ambiguity of dependency mediation. My main point was that we
should avoid satisfying dependencies by
transitive dependencies. Given that, we should find a way to find out that we
really rely on transitive dependencies.
My point was that transitive dependencies need not be ambiguous any
longer. Project A can now specify in it's dependencyManagement section a
version for C. If C is referenced in a transitive dependency its version
will be ignored and the version specified in the dependencyManagement
will be used instead. I suspect that the reason C isn't in A's pom is
that it isn't an "explicit" dependency, i.e. it is only referenced
indirectly through B. In this case a transitive dependency is appropriate.
As a developer you should go through the dependencies you are using in
your pom and find out what their dependencies are and explicitly define
them in your dependencyManagement (or a parent's). If you don't do this
you will eventually end up with a mess. This is exactly why this patch
was developed.
Yes, the case above can occur, and is probably likely with the released
versions of Maven. However, with explicit dependencyManagement it should
not occur if developers do what they are supposed to. The real culprit
in your scenario above wasn't that there was a transitive dependency. It
was that the way in which you declare the version of the transitive
dependency.
So ultimately, if there is a single "master" pom it would contain all
the versions of everything used anywhere in Cocoon. directly or
indirectly. Since ultimately every other project would extend this you
could be assured that the versions are in synch.
