Hello, One thing that strikes me is "Bill of Materials" as perceived by karaf-bom.
As it currently stands, karaf-bom includes all declarations of karaf.git/pom.xml.
As I understand the bill-of-materials concept under Maven, it should only list artifacts provided by a particular project, nothing more, nothing less.
In the latter regard, we should be only declaring org.apache.karaf artifacts in karaf-bom.
From a downstream's perspective, there is a difference between importing karaf-bom (in which case the downstream takes the resposibility to align any shared depdendencies) and karaf.git/pom.xml (in which case I am trusting Karaf with a ton of dependencies).
Currently, there is no distinction between those two.Is it fair to align karaf-bom with the above expectation (and hence not leak things like org.slfj4.api's version)?
As it stands there is no distinction, with this proposal current downstreams wishing to retain current state would scope=import karaf.git/pom.xml instead of karaf-bom (a change of maven coordinates) with no otherwise-observable change.
Does this make sense? Regards, Robert
OpenPGP_signature
Description: OpenPGP digital signature
