[
https://issues.apache.org/jira/browse/MDEP-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17491733#comment-17491733
]
Henning Schmiedehausen edited comment on MDEP-753 at 2/14/22, 12:39 AM:
------------------------------------------------------------------------
Thorsten,
I really appreciate that you look into this problem and that you are trying to
solve it. However, you keep looking at it the wrong way:
- This is not OpenBSD. I know that you use that as an example but it does not
change anything. They can do whatever they want to their users, it may be an
interesting data point but should not serve as an example ("Starbucks no longer
gives free cups to customers, so Peet's can not do that either" is not an
argument that holds water for me)
- the dependency plugin has an understood behavior for many years (15 to be
exact). Changing this now as part of a "3.1 -> 3.x" transition is wrong and the
wrong approach to users
- you are arguing that the "current behavior is wrong and needs to be changed".
What you experience right now is Hyrum's law (hi [~hwright]). The current
behavior is what users expect and changing it leads to user pushback.
those are the problems. What I suggest to make this a successful transition:
- put these new checks under a switch ("enableStrictDependencyChecks"), turn it
off by default. Release. That will make all the difference to the people stuck
on 3.1.2 right now
- turn the switch on by default in a later release. People can still go back by
saying "I don't want that".
- work with the core maven team to change the core resolver behavior. Make the
dependency plugin match that. This is a long game (but then again we do have
three different dependency resolvers already, why not have a fourth?)
But what you are doing right now is *user unfriendly*. And that is IMHO not the
right thing to do.
was (Author: hgschmie):
Thorsten,
I really appreciate that you look into this problem and that you are trying to
solve it. However, you keep looking at it the wrong way:
- This is not OpenBSD. I know that you use that as an example but it does not
change anything. They can do whatever they want to their users, that is may be
an interesting data point but should not serve as an example ("Starbucks no
longer gives free cups to customers, so Peet's can not do that either" is not
an argument that hold water")
- the dependency plugin has an understood behavior for many years (15 to be
exact). Changing this now as part of a "3.1 -> 3.x" transition is wrong and the
wrong approach to users
- you are arguing that the "current behavior is wrong and needs to be changed".
What you experience right now is Hyrum's law (hi [~hwright]). The current
behavior is what users expect and changing it leads to user pushback.
those are the problems. What I suggest to make this a successful transition:
- put these new checks under a switch ("enableStrictDependencyChecks"), turn it
off by default. Release. That will make all the difference to the people stuck
on 3.1.2 right now
- turn the switch on by default in a later release. People can still go back by
saying "I don't want that".
- work with the core maven team to change the core resolver behavior. Make the
dependency plugin match that. This is a long game (but then again we do have
three different dependency resolvers already, why not have a fourth?)
But what you are doing right now is *user unfriendly*. And that is IMHO not the
right thing to do.
> Non-test dependency reported as Non-test scoped test only dependency
> --------------------------------------------------------------------
>
> Key: MDEP-753
> URL: https://issues.apache.org/jira/browse/MDEP-753
> Project: Maven Dependency Plugin
> Issue Type: Bug
> Components: analyze
> Affects Versions: 3.2.0
> Reporter: Elliotte Rusty Harold
> Assignee: Elliotte Rusty Harold
> Priority: Critical
> Fix For: 3.3.0
>
> Attachments: chas.zip, tj.zip
>
>
> Saw this when updating the google-http-java-client from 3.1.2 to 3.2.0 of the
> plugin. I'm not immediately sure whether this is a regression:
> [INFO] --- maven-dependency-plugin:3.2.0:analyze (default-cli) @
> google-http-client ---
> Warning: Non-test scoped test only dependencies found:
> Warning: com.google.guava:guava:jar:30.1.1-android:compile
> Warning: io.opencensus:opencensus-api:jar:0.28.0:compile
> Changing Guava to scope test breaks the build, which is expected based on the
> code. The warning seems incorrect.
> https://github.com/googleapis/google-http-java-client/pull/1396
> https://github.com/googleapis/google-http-java-client/pull/1396/checks?check_run_id=2809438131
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
