On Dec 16, 2006, at 1:58 PM, Jason Dillon wrote:
On Dec 16, 2006, at 9:33 AM, Jason van Zyl wrote:
IMO, we release source code. Binary distributions and maven
artifacts are a convenience. If users can't build our source
code, then there's a problem.
You think your users build from sources to make their Geronimo
servers for production or are you talking about just the specs? I
would argue that it's rare for users to want to build everything
from source, but even if they only built the Geronimo sources they
still need all the binary dependencies at which point the quality
of the repository matters. I think the discussion is germane in
the context of your users building production systems from source.
The *user* that wants to build everything from source is me... for
automated builds. For our builds, and I had hoped for our releases
too, that use the automated system to produce builds, which are
always built from source (for our components) so that I can be 100%
assured that when I make a build that I know exactly what code
(from our components) was included.
My understanding is that geronimo (and openejb) are going to be using
the latest released specs that we just voted on until someone finds a
bug in one of them.
Why do you want to rebuild released jars? I certainly think the
automated system should be rebuilding all the non-released code we
know about, but I don't understand the point of ever rebuilding
released code. Is this because you think the jar in the remote repo
will change? I would think saving the expected hashcode and
comparing with the actual hashcode would be more reliable.
I don't really see rebuilding from source as a defense against the
remote repo changing. Everyone else is going to be using the remote
repo, so even if we have a more correct locally built version
everyone else will be screwed. I would think using an svn based repo
or keeping our own audit trail (such as the hashes for every released
artifact we use) would be more reliable. If some released artifact
changes, I think no automated recovery is possible: someone has to
figure out why and figure out what to do about it, since maven
allegedly guarantees that it will never happen.
maybe I'm just being stupid.... but I'm not getting it yet.
thanks
david jencks
The remote repo is still there for other users that don't need that
assurance or don't have time to go and build everything... but I do
want that... and I believe that it is in the best interest of the
community to get that too.
--jason
