I think you miss the fact that a repository manager is your own. And all the dependencies check can be done globally, all the time, and with changing policy (jars used during build and test have a lot less restrictions than the ones going into your delivered App).
Anyway about this thread and a shameless plug: >From our experience at www.jfrog.org (we are the creator of Artifactory Maven2 repository manager, Maven Anno Mojo for plugins using Java5 annotations, and Jade Plugins mainly used today for native compilation), here is what I'll say: - Doing a Maven migration is not a relaxing experience - Having a small team of developers that can write Maven2 plugins (with Annotations it's easier :), can really saved the day - Compromising too much by using Ant scripts (and breaking Maven philosophy) will kill very rapidly the benefits of Maven and you'll get suffering for nothing - I'm not pushing at all, but using consultants or experienced people to know the pitfalls of Maven2 can totally change the results. - Maven2 has a lot of non intuitive behavior and configuration, and if you mess it up, it can explode big time later on. - Once your team works correctly with Maven2, the realm of possibility is huge, but without plugin developers you will not exploit them correctly. For info, we just finished a migration to Maven2 of a 1.2M LOC project with automated deployment distribution and parallel tests of any SVN branch. A pleasure to watch, but it took a lot of effort :( "*There* Ain't *No Such Thing* As A *Free Lunch*". Good luck. On Wed, Aug 27, 2008 at 6:00 AM, Peter Becker <[EMAIL PROTECTED]>wrote: > > On Wed, Aug 27, 2008 at 10:46 AM, Wayne Fay <[EMAIL PROTECTED]> wrote: > > > > On 8/26/08, Bill Robertson <[EMAIL PROTECTED]> wrote: > >> > >> Can you go back and reproduce a build from 2 years ago and all of the > >> components (jars from Maven) that went into it? When you're working > >> at a bank, audit cares about stuff like that. > > > > If you're running a proper Maven repo manager etc, then yes, you can > > easily do this. > > That's the main reason I'm still scared of using Maven: you have to > rely on something externally to your project for this to work right. > I'd rather push the necessary libraries (and sometimes even tools) > into a project's repository. You have to start somewhere (e.g. > JDK+Ant+VCS tool), but I like to keep that set small. I'm pretty > confident I can still get a particular version of a JDK or Ant in a > few years time, but I would need to see a lot of commitment to > long-term maintenance before I buy into a Maven repository I would > use. > > And the security/licencing angle can be done as part of QA measures -- > checking a secure hash of every JAR against a list of allowed > libraries isn't that hard. If you are really concerned you could even > add this as part of a system monitoring solution, scanning for > violations on the live systems. > > Note that you can work around both types of measures by importing > source code instead of JARs -- neither approach is safe if you can't > trust your staff in the first place. > > Peter > > > > -- http://freddy33.blogspot.com/ http://www.jfrog.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/javaposse?hl=en -~----------~----~----~----~------~----~------~--~---
