On 16 Dec 06, at 3:40 AM 16 Dec 06, David Jencks wrote:
On Dec 15, 2006, at 11:05 PM, Jason van Zyl wrote:
<big snip>
Then don't use those repos, or label them as snapshot repos. As
far as Geronimo is concerned why do you need anything more then
central as a source? Aside from your SNAPSHOT dependencies.
This will only stop when Archiva is in full effect. The only way
to submit anything to central will be via Archiva. Any project who
wishes to have the same stability will only take artifacts that
have passed through and instance of Archiva. You'll know you're
using an instance of Archiva because we'll have a wagon for doing
that and it will be configured. It will eventually be the default.
It will simply be the Grizzly client and Jetty using the Grizzly
connector.
Jason, one thing I'd like to point out here is that to a large
extent jdillon has been saying "the current state of maven remote
repos is unreliable" and you are saying, "no, as soon as we get
archiva, signatures, audit trails, etc etc etc working they will be
reliable". That's agreeing with jdillon that the current state of
maven remote repos is unreliable since they don't have signed
artifacts and an audit trail (at least). Just because you wish
remote repos worked and were reliable does not mean they are
today. I personally don't think they will be satisfactory until
you have a revocation procedure in place as well as signing and an
audit trail. I suspect that making this distributed system
reliable is going to be much much harder than you imagine: I hope
I'm wrong because if it works it would be really great.
The central repository itself has always been pretty stable with no
safeguards. I realize not having these safeguards is not great but
things don't just disappear off that machine. We have a huge problem,
it appears, with the syncs we are pulling in automatically.
Organization wide syncs are soon going to stop and it's going to be
per-project so that when garbage appears we will know immediately
who's polluting the repository, Archiva will also keep track of
deletions. So yes, I agree on one hand that we need a watchdog in
place but we are not randomly jumbling stuff around on the central
repository. We're getting burned from our source syncs and the misuse
of SNAPSHOT repositories for the most part.
Another comment I will make is that I am fairly sure there are
severe bugs in the maven artifact resolution process when snapshots
are present.
There are a huge number, I believe it's completely unreliable and
it's going to need an overhaul. It was very apparent from my last
round of travels that in many cases especially when snapshots are
used there are severe problems. I think we underestimated the use
snapshots and how prevalent their use would be for external
dependencies.
This is because if I remove all org.apache.geronimo.modules
artifacts from my local repo and build the corresponding part of
geronimo, if I build online I usually get errors together with
downloaded timestamped artifacts whereas if I build offline the
build succeeds.
Yup, that's a patch we applied for Jason to provide a stopgap
solution. Where no snapshots will be updated when building.
Note carefully that I am only building geronimo artifacts and there
is no change whatsoever in non-geronimo artifacts in my local
repo. I think nearly every time we've made a change involving more
than one module since we started using m2 and pushing snapshots to
the snapshot repo we've had user complaints that the build is
broken, and the solution always is to build offline.
Snapshots are an inherit instability but there are definitely error
in working with snapshots in maven-artifact and it's bad. I see it as
the most critical problem with 2.0.x. But moving toward using less of
them even if that's locking to some timestamped versions will help
greatly.
Your complaints about any already released geronimo artifacts are
totally irrelevant unless you want to recommend we move back to m1
since the 1.2-beta and 2.0-M1 are the first releases we've tried to
do with m2 (except for specs, which got messed up in various other
ways but have not been a giant problem until recently).
With m1 or m2 a release with snapshots is deadly. The practice seems
to be something present regardless of what version of Maven you're
using. The concept of a SNAPSHOT is the same in both versions though
implemented differently.
Even in the face of the instability with SNAPSHOT handling in m2 I
think you can eliminate a lot of it by getting off many of your
SNAPSHOTs and I am trying to get out 2.0.5 which now contains a fix
that always takes SNAPSHOTs locally if you have them.
Jason.
thanks
david jencks
