Hi Robert, Seems like a fair point to me, I agree the Karaf BOM should only list Karaf dependencies. It would be nice though to be able to 'use' the library versions Karaf is using for third party dependencies, without having to import karaf.git/pom.xml. Any ideas for that?
Please keep in mind that starting from Maven 4.0, a new specific BOM packaging <https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms> has been introduced. I have not looked into it, but it might be worth looking at before making any changes. Kind regards, Steven On Sun, Sep 24, 2023 at 10:55 PM Robert Varga <n...@hq.sk> wrote: > Hello, > > One thing that strikes me is "Bill of Materials" as perceived by karaf-bom. > > As it currently stands, karaf-bom includes all declarations of > karaf.git/pom.xml. > > As I understand the bill-of-materials concept under Maven, it should > only list artifacts provided by a particular project, nothing more, > nothing less. > > In the latter regard, we should be only declaring org.apache.karaf > artifacts in karaf-bom. > > From a downstream's perspective, there is a difference between > importing karaf-bom (in which case the downstream takes the > resposibility to align any shared depdendencies) and karaf.git/pom.xml > (in which case I am trusting Karaf with a ton of dependencies). > > Currently, there is no distinction between those two. > > Is it fair to align karaf-bom with the above expectation (and hence not > leak things like org.slfj4.api's version)? > > As it stands there is no distinction, with this proposal current > downstreams wishing to retain current state would scope=import > karaf.git/pom.xml instead of karaf-bom (a change of maven coordinates) > with no otherwise-observable change. > > Does this make sense? > > Regards, > Robert >
