[jira] [Commented] (SOLR-17602) Maintain final JAR dependencies in source control to track changes

[Christos Malliaridis (Jira)]

    [ 
https://issues.apache.org/jira/browse/SOLR-17602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17907933#comment-17907933
 ] 

Christos Malliaridis commented on SOLR-17602:
---------------------------------------------

I like the idea and I would love to be able to review such changes as well. The 
plugin that was introduced together with version catalogs does track these 
changes, but in a format that expands to almost 20k lines, making it not 
human-readable anymore.

With the idea of the platform module I started looking into (see 
[https://github.com/apache/solr/pull/2915)], it may be possible to define our 
own format and simply write what we need to a file after the dependencies were 
resolved.

As Jan correctly said, using dependabot for updating such lock files proves 
quite difficult. I want to try an updated version of our solrbot to see if it 
is easier to handle such changes, but I didn't had the time yet to look into it.

> Maintain final JAR dependencies in source control to track changes
> ------------------------------------------------------------------
>
>                 Key: SOLR-17602
>                 URL: https://issues.apache.org/jira/browse/SOLR-17602
>             Project: Solr
>          Issue Type: Task
>          Components: Build
>            Reporter: David Smiley
>            Priority: Major
>
> When we make changes to Solr's dependencies (add/remove/change), we edit our 
> build files, and the code review process shows these changes to corresponding 
> build files.  However, what we all *really* want to know is the impact the 
> change has on the artifacts our users consume.  Almost nobody validates the 
> impact; we hope for the best and find out of problems long later.
> This issue tracks one artifact: Solr's final assembly (any of the zip, 
> tar.gz, or Docker). I propose committing to source control a machine 
> generated file listing of the dependencies  in a text file.  This file shall 
> be updated based on executing a gradle task TBD.  When gradle "check" is run, 
> it will henceforth ensure that this file hasn't been modified or doesn't 
> match the output of the script's generation (details TBD).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org