2013/9/4 10:50 -0700, david.ll...@redhat.com: > On 09/04/2013 05:27 PM, mark.reinh...@oracle.com wrote: >> Do you have links to any good descriptions of these best practices? >> That'd be helpful. > > Not a lot as links, as mostly they are "community knowledge" among our > various teams, but here's a couple for each that I can find relatively > quickly: > > For Maven: > > * Version ranges considered harmful [1] [2] [3] [4] (and probably more); > we disallow them within our own products for stability reasons > * Transitive-by-default causes problems in mid to large projects due to > extensive conflicts [can't find the discussion...]; fix is to use and > verify exclusions, specify "provided" scope, and use > maven-enforcer-plugin [5] to ban transitive dependencies
Thanks. These observations match my own understanding of how Maven and similar tools (Ivy, Gradle) are used in practice. As far as I can tell one of the primary functions of these tools is to allow developers to correct broken version information in the artifacts they're trying to use, and of course to resolve conflicts. One developer I know put it this way: Nobody actually uses version constraints, and the actual version numbers in pom.xml files might as well be hash codes. > For OSGi: > > * Using the full capabilities of range dependencies can cause resolution > to be NP-complete; best practice is to use ranges in a more restricted > manner [6] Yes, though the degree to which this is a problem in practice seems unclear. > * Require-Bundle not recommended due to lack of hiding non-public > packages among other things [no link] (however, to be fair this is only > due to the way Require-Bundle was designed; it's not an inherent flaw, > but it is a best practice not to use it, hence it fits the criteria) Right. - Mark
