It is even worse. Are you familiar with Springboot? It has a property for a lot of versions, for both dependencies and plugins. The idea is that you can override it in your own pom file. However, you can do it from commandline as well!
When using the maven-release-plugin it is harder to achieve this, but it is still possible. My rule is that commandline arguments should never have effect on the generated artifacts (so -DskipTests might be acceptable, but -Dmaven.compiler.release=X not) In the near future we might be able to fix this for the consumer-pom, but it won't make it reproducible from sources. thanks, Robert On 24-1-2020 18:23:01, Elliotte Rusty Harold <elh...@ibiblio.org> wrote: Is it possible for a profile to materially affect what gets installed in a repository, particularly the central repo? I'm not concerned about minutiae like builds times and other details the reproducible build work is concerned with. I'm talking about more major things like which classes are and are not in a jar. My gut is that this is possible because profiles can change plugins and plugins can do pretty much anything. Assuming that's so, is there a way to tell from the data in the repo which profile was used to create a particular artifact? I'm particularly concerned about dependencies. Profiles can change dependencies, so the runtime and compile time classpath might depend on the active profile. -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
