Re: [all] When to update dependencies?

[Rob Tompkins]

> On Jul 25, 2020, at 5:28 PM, Matt Sicker  wrote:
> 
> Exactly. It’s not a general problem, but one specific to various legacy
> APIs still commonly used.

+1

> 
>> On Sat, Jul 25, 2020 at 14:56 Bernd Eckenfels 
>> wrote:
>> 
>> It will only cause problems if this is registered as a service/spi/driver
>> like XML, Crypto, JDBC, Authentication and so on. For internal libraries
>> functions which don't have such global state it's fine.
>> 
>> Gruss
>> Bernd
>> 
>> 
>> --
>> http://bernd.eckenfels.net
>> 
>> Von: Torsten Curdt 
>> Gesendet: Saturday, July 25, 2020 8:29:21 PM
>> An: Commons Developers List 
>> Betreff: Re: [all] When to update dependencies?
>> 
>>> 
>>> They’re not the same class and that’s the problem. It’s similar to
>> loading
>>> two versions of the same library in OSGi
>> 
>> 
>> Let's say you are dealing with
>> 
>>  org.vafer.Foo
>> 
>> the library relocates this as
>> 
>>  org.apache.commons.compress.internal.org.vafer.Foo
>> 
>> The library only deals with
>> 
>>  org.apache.commons.compress.internal.org.vafer.Foo
>> 
>> They cannot get mixed up.
>> Please explain how this will cause problems.
>> 
> -- 
> Matt Sicker 

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Matt Sicker]

Exactly. It’s not a general problem, but one specific to various legacy
APIs still commonly used.

On Sat, Jul 25, 2020 at 14:56 Bernd Eckenfels 
wrote:

> It will only cause problems if this is registered as a service/spi/driver
> like XML, Crypto, JDBC, Authentication and so on. For internal libraries
> functions which don't have such global state it's fine.
>
> Gruss
> Bernd
>
>
> --
> http://bernd.eckenfels.net
> 
> Von: Torsten Curdt 
> Gesendet: Saturday, July 25, 2020 8:29:21 PM
> An: Commons Developers List 
> Betreff: Re: [all] When to update dependencies?
>
> >
> > They’re not the same class and that’s the problem. It’s similar to
> loading
> > two versions of the same library in OSGi
>
>
> Let's say you are dealing with
>
>   org.vafer.Foo
>
> the library relocates this as
>
>   org.apache.commons.compress.internal.org.vafer.Foo
>
> The library only deals with
>
>   org.apache.commons.compress.internal.org.vafer.Foo
>
> They cannot get mixed up.
> Please explain how this will cause problems.
>
-- 
Matt Sicker 

Re: [all] When to update dependencies?

[Bernd Eckenfels]

When you copy/shade classes then there is no sealing metadata copied, so unless 
the code verifies how it is packaged, it will not know that it isn't sealed 
anymore (or to a different package).

But I guess it doesn't matter, there are many libraries which can be shaded and 
many which can't, for various reasons. That does not mean it's generally not 
possible to reduce some dependencies.

Gruss



--
http://bernd.eckenfels.net

Von: Gary Gregory 
Gesendet: Saturday, July 25, 2020 10:22:58 PM
An: Commons Developers List 
Betreff: Re: [all] When to update dependencies?

How does this work with sealed jars?

Gary

On Sat, Jul 25, 2020, 15:57 Bernd Eckenfels  wrote:

> It will only cause problems if this is registered as a service/spi/driver
> like XML, Crypto, JDBC, Authentication and so on. For internal libraries
> functions which don't have such global state it's fine.
>
> Gruss
> Bernd
>
>
> --
> http://bernd.eckenfels.net
> 
> Von: Torsten Curdt 
> Gesendet: Saturday, July 25, 2020 8:29:21 PM
> An: Commons Developers List 
> Betreff: Re: [all] When to update dependencies?
>
> >
> > They’re not the same class and that’s the problem. It’s similar to
> loading
> > two versions of the same library in OSGi
>
>
> Let's say you are dealing with
>
>   org.vafer.Foo
>
> the library relocates this as
>
>   org.apache.commons.compress.internal.org.vafer.Foo
>
> The library only deals with
>
>   org.apache.commons.compress.internal.org.vafer.Foo
>
> They cannot get mixed up.
> Please explain how this will cause problems.
>

Re: [all] When to update dependencies?

[Gary Gregory]

How does this work with sealed jars?

Gary

On Sat, Jul 25, 2020, 15:57 Bernd Eckenfels  wrote:

> It will only cause problems if this is registered as a service/spi/driver
> like XML, Crypto, JDBC, Authentication and so on. For internal libraries
> functions which don't have such global state it's fine.
>
> Gruss
> Bernd
>
>
> --
> http://bernd.eckenfels.net
> 
> Von: Torsten Curdt 
> Gesendet: Saturday, July 25, 2020 8:29:21 PM
> An: Commons Developers List 
> Betreff: Re: [all] When to update dependencies?
>
> >
> > They’re not the same class and that’s the problem. It’s similar to
> loading
> > two versions of the same library in OSGi
>
>
> Let's say you are dealing with
>
>   org.vafer.Foo
>
> the library relocates this as
>
>   org.apache.commons.compress.internal.org.vafer.Foo
>
> The library only deals with
>
>   org.apache.commons.compress.internal.org.vafer.Foo
>
> They cannot get mixed up.
> Please explain how this will cause problems.
>

Re: [all] When to update dependencies?

[Bernd Eckenfels]

It will only cause problems if this is registered as a service/spi/driver like 
XML, Crypto, JDBC, Authentication and so on. For internal libraries functions 
which don't have such global state it's fine.

Gruss
Bernd


--
http://bernd.eckenfels.net

Von: Torsten Curdt 
Gesendet: Saturday, July 25, 2020 8:29:21 PM
An: Commons Developers List 
Betreff: Re: [all] When to update dependencies?

>
> They’re not the same class and that’s the problem. It’s similar to loading
> two versions of the same library in OSGi


Let's say you are dealing with

  org.vafer.Foo

the library relocates this as

  org.apache.commons.compress.internal.org.vafer.Foo

The library only deals with

  org.apache.commons.compress.internal.org.vafer.Foo

They cannot get mixed up.
Please explain how this will cause problems.

Re: [all] When to update dependencies?

[Torsten Curdt]

>
> They’re not the same class and that’s the problem. It’s similar to loading
> two versions of the same library in OSGi


Let's say you are dealing with

  org.vafer.Foo

the library relocates this as

  org.apache.commons.compress.internal.org.vafer.Foo

The library only deals with

  org.apache.commons.compress.internal.org.vafer.Foo

They cannot get mixed up.
Please explain how this will cause problems.

Re: [all] When to update dependencies?

[Matt Sicker]

They’re not the same class and that’s the problem. It’s similar to loading
two versions of the same library in OSGi and allowing the two classes to
get mixed up somehow (fun errors like Foo is not type Foo), typically a bug.

On Fri, Jul 24, 2020 at 11:30 Gilles Sadowski  wrote:

> Le ven. 24 juil. 2020 à 17:46, Matt Sicker  a écrit :
> >
> > Shading also violates a lot of common ClassLoader assumptions like not
> > having multiple copies of the same class in the same visible context
> (even
> > if different packages)
>
> How classes in different packages could be the same class?
>
> Gilles
>
> > [...]
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
> --
Matt Sicker 

Re: [all] When to update dependencies?

[Phil Steitz]

On 7/24/20 1:04 AM, Stefan Bodewig wrote:

Hi all

here I'd like to explain why I prefer not to update dependencies just
because we can. Maybe you can convince me that I'm wrong. I've tried to
make this point in different threads but either it has been lost or it
just wasn't worth discussing.

First of all let me get a few things out of the way

* I'm not talking about emails, I can deal with them

* I don't care whether a bot or a human asks for a version update

* I'm only talking about dependencies that are visible to our
   users. Test time dependencies or versions of Maven plugins are
   probably not an issue. Although Compress has mananaged to break its
   OSGi bundle just by upgrading the parent POM in the past.
   https://issues.apache.org/jira/browse/COMPRESS-498

All our components have downstream users. I.e. our dependencies become
somebody else's dependencies as well.

Let's say commons-foo 1.1.0 depends on A 1.12.4 and bumps the dependency
to A 1.12.18 for commons-foo 1.2.0.

When a user of commons-foo upgrades to 1.2.0 and hasn't defined their
dependency on A explicitly they will also upgrade A to 1.12.18. This may
be fine or it may cause problems. The new version of A may have made
incompatible changes that break the user's code or it may just have bugs
that were not present in A 1.12.4 and now raise their head.

Of course the users can explicitly state a dependency on A 1.12.4
themselves. But there is no guarantee commons-foo compiled against A
1.12.18 will still work with A 1.12.4.

About fifteen years ago Ant was bitten by StringBuffer adding a new
method append(StringBuffer) in Java 1.4 (if memory serves me
right). Code that called someStringBuffer.append(anotherStringBuffer)
compiled on Java 1.3 would call append(Object), but compiled on 1.4 it
would call the new version and thus could not run on Java 1.3. This is
the kind of change animal sniffer was invented to detect and the
--release option of javac deals with. There is no such tool helping us
with APIs that are not part of the Java classlib.

Therefore I believe updating a dependency is a risk and we should leave
it to the users to decide which version they want to use.

Unless we've got real reasons to update. Real reasons IMHO are security
issues, bugs in dependencies causing bugs in our code or when we really
want to use new features introduced in a new version.



+1

Above seems a good list of reasons to me.

I would also add that we should try as much as possible to avoid 
dependencies in Commons components.  There is no need to update 
dependencies that don't exist :)  I agree with Gary though that shading 
/ pasting should not be used to avoid dependencies in Commons 
components.  Some can't avoid having dependencies.  When they do, I 
think your criteria for when to update is good.


I agree strongly with the point you make below about the need to care 
more about our downstream users than ourselves or upstream. If we pass 
too many regression or compatibility bugs forward, we will eventually 
lose the former, which makes our components kind of pointless.


I also agree with your view on automatic transitive dependency 
resolution.  Violates what I call the law of conservation of real work.  
But that ship has sailed...


Phil



Outside of these good reasons I wouldn't want to ever update a
dependency.

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Torsten Curdt]

>
> > - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
> >> - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
> >> - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't
> no
> >> matter what classpath ordering it uses.
> >> - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't
> no
> >> matter what classpath ordering it uses.
>
> I agree here. Shading is quite subtle indeed and can cause Jar hell. I see
> what you’re saying. Hm…this does indeed become interesting.
>

I just cannot cause jar hell. Stop with the FUD or explain how it is a
problem.
The above is an example of what it prevents.

Re: [all] When to update dependencies?

[Torsten Curdt]

>
> The key phrase is "which would be stupid" which you as a consumer have zero
> control over. People do stupid things all the time.
>

If people use a package that is called "internal" or something - there is
nothing anyone can do.
And really beyond the point.


> > To be more explicit. I am maintaining org.vafer.jdependency which uses
> > org.objectweb.asm.
> > If you look at the final jar you find
> >
> >   org/vafer/jdeb/shaded/objectweb/asm/*.class
> >
> > The shaded classes are relocated and become part of the context of the
> > library that is shading.
> > A shading hell is just not possible as long as there are no classpath
> > problems on the library itself.
> >
>
> And this contributes to the problem: This library has now made it
> impossible to pick up a fix in ASM or just plain support for a new Java
> version.
>

It does not - at all ...and is a completely different topic.

Re: [all] When to update dependencies?

[Gilles Sadowski]

Le ven. 24 juil. 2020 à 17:39, Gary Gregory  a écrit :
>
> On Fri, Jul 24, 2020 at 11:30 AM Rob Tompkins  wrote:
>
> >
> >
> > > On Jul 24, 2020, at 9:41 AM, Torsten Curdt  wrote:
> > >
> > >>
> > >> You can imagine all manner of jar-hell created by shading.  For
> > instance:
> > >>
> > > - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
> > >> - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
> > >> - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't
> > no
> > >> matter what classpath ordering it uses.
> > >> - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't
> > no
> > >> matter what classpath ordering it uses.
> >
> > I agree here. Shading is quite subtle indeed and can cause Jar hell. I see
> > what you’re saying. Hm…this does indeed become interesting.
> >
> > I suppose we need to have a standard pattern for shading when to, when not
> > to, etc. so that we can more effectively have dependency upgrade
> > automation??
> >
> > That said, the point that you make is indeed subtle enough that unless we
> > are very simplistic with our shading, dependency upversioning and
> > compatibility can
> > become an NP-complete problem. Thus we need standards here.
> >
>
> My standard is simple: Don't shade if you offer a jar for reuse.

A shaded class is not part of the public API; how does it affect
reuse?

I also don't understand your expectation in the Jacoco example:
Why should it support more recent class files than those for which
that particular version was released?
Assuming that Jacoco did not shade that library, perhaps some
things would still work with another version of it, while other things
would break (I think this was the scenario pointed out by Stefan).

> Anything offered as a FOSS jar as the potential for reuse and therefore
> becomes a potential contributor to shade hell.

I'd also favour explicit dependency over shading.  The possibility
was presented as an alternative to the "coding horrors" that arise
in Commons because of the "no dependency" argument.

Gilles

>
> Gary
>
>
>> [...]

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Gilles Sadowski]

Le ven. 24 juil. 2020 à 17:46, Matt Sicker  a écrit :
>
> Shading also violates a lot of common ClassLoader assumptions like not
> having multiple copies of the same class in the same visible context (even
> if different packages)

How classes in different packages could be the same class?

Gilles

> [...]

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Gary Gregory]

On Fri, Jul 24, 2020 at 12:00 PM Gary Gregory 
wrote:

> On Fri, Jul 24, 2020 at 11:43 AM Rob Tompkins  wrote:
>
>>
>>
>> > On Jul 24, 2020, at 11:36 AM, Gary Gregory 
>> wrote:
>> >
>> > On Fri, Jul 24, 2020 at 11:30 AM Rob Tompkins 
>> wrote:
>> >
>> >>
>> >>
>> >>> On Jul 24, 2020, at 9:41 AM, Torsten Curdt  wrote:
>> >>>
>> 
>>  You can imagine all manner of jar-hell created by shading.  For
>> >> instance:
>> 
>> >>> - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
>>  - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
>>  - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it
>> can't
>> >> no
>>  matter what classpath ordering it uses.
>>  - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it
>> can't
>> >> no
>>  matter what classpath ordering it uses.
>> >>
>> >> I agree here. Shading is quite subtle indeed and can cause Jar hell. I
>> see
>> >> what you’re saying. Hm…this does indeed become interesting.
>> >>
>> >> I suppose we need to have a standard pattern for shading when to, when
>> not
>> >> to, etc. so that we can more effectively have dependency upgrade
>> >> automation??
>> >>
>> >> That said, the point that you make is indeed subtle enough that unless
>> we
>> >> are very simplistic with our shading, dependency upversioning and
>> >> compatibility can
>> >> become an NP-complete problem. Thus we need standards here.
>> >>
>> >
>> > My standard is simple: Don't shade if you offer a jar for reuse.
>> >
>> > Anything offered as a FOSS jar as the potential for reuse and therefore
>> > becomes a potential contributor to shade hell.
>>
>> Sounds like a good place to start. Don’t we shade lang into text though
>> (could totally be wrong here)?
>>
>
> Text does not shade lang. Commons, as far as I know, does not shade
> anything, and IMO should not.
>

It is critical to understand the difference between shading vs. depending.
In "depending", Text expects Lang to be on the classpath, and this is
enforced at build time by Maven and your POM such that tests can run.

In shading (with the Maven shade plugin for example), the build _copies_
the class files from a third party jar into _your_ jar file. Whether you
keep the original package names or repackage the third party code is your
choice.

Gary


>
> Gary
>
>
>>
>> -Rob
>>
>> >
>> > Gary
>> >
>> >
>> >> -Rob
>> >>
>> 
>> >>>
>> >>> Sorry, but I cannot follow the problems you are trying to show.
>> >>>
>> >>> L1 has ShadeA and ShadeB
>> >>> L2 has ShadeA and ShadeB
>> >>> but both have their own version that doesn't clash and that doesn't
>> know
>> >>> anything about the other one.
>> >>> The app does not see ShadeA or ShadeB from L1 or L2 (unless it uses
>> the
>> >>> hidden package from L1 which would be stupid)
>> >>> There are no clashes and every library uses the version that it needs.
>> >>>
>> >>> To be more explicit. I am maintaining org.vafer.jdependency which uses
>> >>> org.objectweb.asm.
>> >>> If you look at the final jar you find
>> >>>
>> >>> org/vafer/jdeb/shaded/objectweb/asm/*.class
>> >>>
>> >>> The shaded classes are relocated and become part of the context of the
>> >>> library that is shading.
>> >>> A shading hell is just not possible as long as there are no classpath
>> >>> problems on the library itself.
>> >>>
>> >>> It's like you are copy the code into your package.
>> >>> Bytecode manipulation is really not that bad as you make it to be.
>> >>>
>> >>> Just creating uberjars (without relocation)  - that's a whole
>> different
>> >>> story.
>> >>> That should only ever been done on the final application artifact.
>> >>
>> >>
>> >> -
>> >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> >> For additional commands, e-mail: dev-h...@commons.apache.org
>> >>
>> >>
>>
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>
>>

Re: [all] When to update dependencies?

[Rob Tompkins]

> On Jul 24, 2020, at 12:00 PM, Gary Gregory  wrote:
> 
> On Fri, Jul 24, 2020 at 11:43 AM Rob Tompkins  wrote:
> 
>> 
>> 
>>> On Jul 24, 2020, at 11:36 AM, Gary Gregory 
>> wrote:
>>> 
>>> On Fri, Jul 24, 2020 at 11:30 AM Rob Tompkins 
>> wrote:
>>> 
 
 
> On Jul 24, 2020, at 9:41 AM, Torsten Curdt  wrote:
> 
>> 
>> You can imagine all manner of jar-hell created by shading.  For
 instance:
>> 
> - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
>> - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
>> - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it
>> can't
 no
>> matter what classpath ordering it uses.
>> - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it
>> can't
 no
>> matter what classpath ordering it uses.
 
 I agree here. Shading is quite subtle indeed and can cause Jar hell. I
>> see
 what you’re saying. Hm…this does indeed become interesting.
 
 I suppose we need to have a standard pattern for shading when to, when
>> not
 to, etc. so that we can more effectively have dependency upgrade
 automation??
 
 That said, the point that you make is indeed subtle enough that unless
>> we
 are very simplistic with our shading, dependency upversioning and
 compatibility can
 become an NP-complete problem. Thus we need standards here.
 
>>> 
>>> My standard is simple: Don't shade if you offer a jar for reuse.
>>> 
>>> Anything offered as a FOSS jar as the potential for reuse and therefore
>>> becomes a potential contributor to shade hell.
>> 
>> Sounds like a good place to start. Don’t we shade lang into text though
>> (could totally be wrong here)?
>> 
> 
> Text does not shade lang. Commons, as far as I know, does not shade
> anything, and IMO should not.
> 

Good! I wholeheartedly agree, and this get’s us out of this discussion I 
believe. Our consumers may deal with shading as they see fit. But, staying up 
to date
on dependencies in an automated fashion is invaluable. I think this is the way 
we prevent security vulnerabilities cropping up.

-Rob


> Gary
> 
> 
>> 
>> -Rob
>> 
>>> 
>>> Gary
>>> 
>>> 
 -Rob
 
>> 
> 
> Sorry, but I cannot follow the problems you are trying to show.
> 
> L1 has ShadeA and ShadeB
> L2 has ShadeA and ShadeB
> but both have their own version that doesn't clash and that doesn't
>> know
> anything about the other one.
> The app does not see ShadeA or ShadeB from L1 or L2 (unless it uses the
> hidden package from L1 which would be stupid)
> There are no clashes and every library uses the version that it needs.
> 
> To be more explicit. I am maintaining org.vafer.jdependency which uses
> org.objectweb.asm.
> If you look at the final jar you find
> 
> org/vafer/jdeb/shaded/objectweb/asm/*.class
> 
> The shaded classes are relocated and become part of the context of the
> library that is shading.
> A shading hell is just not possible as long as there are no classpath
> problems on the library itself.
> 
> It's like you are copy the code into your package.
> Bytecode manipulation is really not that bad as you make it to be.
> 
> Just creating uberjars (without relocation)  - that's a whole different
> story.
> That should only ever been done on the final application artifact.
 
 
 -
 To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
 For additional commands, e-mail: dev-h...@commons.apache.org
 
 
>> 
>> 
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>> 
>> 


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Gary Gregory]

On Fri, Jul 24, 2020 at 11:43 AM Rob Tompkins  wrote:

>
>
> > On Jul 24, 2020, at 11:36 AM, Gary Gregory 
> wrote:
> >
> > On Fri, Jul 24, 2020 at 11:30 AM Rob Tompkins 
> wrote:
> >
> >>
> >>
> >>> On Jul 24, 2020, at 9:41 AM, Torsten Curdt  wrote:
> >>>
> 
>  You can imagine all manner of jar-hell created by shading.  For
> >> instance:
> 
> >>> - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
>  - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
>  - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it
> can't
> >> no
>  matter what classpath ordering it uses.
>  - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it
> can't
> >> no
>  matter what classpath ordering it uses.
> >>
> >> I agree here. Shading is quite subtle indeed and can cause Jar hell. I
> see
> >> what you’re saying. Hm…this does indeed become interesting.
> >>
> >> I suppose we need to have a standard pattern for shading when to, when
> not
> >> to, etc. so that we can more effectively have dependency upgrade
> >> automation??
> >>
> >> That said, the point that you make is indeed subtle enough that unless
> we
> >> are very simplistic with our shading, dependency upversioning and
> >> compatibility can
> >> become an NP-complete problem. Thus we need standards here.
> >>
> >
> > My standard is simple: Don't shade if you offer a jar for reuse.
> >
> > Anything offered as a FOSS jar as the potential for reuse and therefore
> > becomes a potential contributor to shade hell.
>
> Sounds like a good place to start. Don’t we shade lang into text though
> (could totally be wrong here)?
>

Text does not shade lang. Commons, as far as I know, does not shade
anything, and IMO should not.

Gary


>
> -Rob
>
> >
> > Gary
> >
> >
> >> -Rob
> >>
> 
> >>>
> >>> Sorry, but I cannot follow the problems you are trying to show.
> >>>
> >>> L1 has ShadeA and ShadeB
> >>> L2 has ShadeA and ShadeB
> >>> but both have their own version that doesn't clash and that doesn't
> know
> >>> anything about the other one.
> >>> The app does not see ShadeA or ShadeB from L1 or L2 (unless it uses the
> >>> hidden package from L1 which would be stupid)
> >>> There are no clashes and every library uses the version that it needs.
> >>>
> >>> To be more explicit. I am maintaining org.vafer.jdependency which uses
> >>> org.objectweb.asm.
> >>> If you look at the final jar you find
> >>>
> >>> org/vafer/jdeb/shaded/objectweb/asm/*.class
> >>>
> >>> The shaded classes are relocated and become part of the context of the
> >>> library that is shading.
> >>> A shading hell is just not possible as long as there are no classpath
> >>> problems on the library itself.
> >>>
> >>> It's like you are copy the code into your package.
> >>> Bytecode manipulation is really not that bad as you make it to be.
> >>>
> >>> Just creating uberjars (without relocation)  - that's a whole different
> >>> story.
> >>> That should only ever been done on the final application artifact.
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> >> For additional commands, e-mail: dev-h...@commons.apache.org
> >>
> >>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Re: [all] When to update dependencies?

[Matt Sicker]

Shading also violates a lot of common ClassLoader assumptions like not
having multiple copies of the same class in the same visible context (even
if different packages) and gets more complex as your types do. I’ve seen
this problem when projects tried to shade Avro or Protobuf. As a downstream
user of the library, it becomes impossible to use the upstream code without
using its shaded code.

Of course, this is not always the case, but it’s usually sloppy. That’s not
even counting reflection APIs.

On Fri, Jul 24, 2020 at 10:34 Gary Gregory  wrote:

> On Fri, Jul 24, 2020 at 10:50 AM Gilles Sadowski 
> wrote:
>
> > Hello.
> >
> > Le ven. 24 juil. 2020 à 14:48, Gary Gregory  a
> > écrit :
> > >
> > > On Fri, Jul 24, 2020 at 6:03 AM Gilles Sadowski 
> > > wrote:
> > >
> > > > 2020-07-24 11:25 UTC+02:00, Torsten Curdt :
> > > > > It still needs a person to decide to merge a PR for a new version.
> > > > > So this indeed is just about the dependency upgrade policies.
> > > > >
> > > > > But isn't that what the version definition is for?
> > > >
> > > > Ideally.
> > > > In practice, I think that all we can assume is that the version
> > > > string is a quick-glance summary of changes, for human
> > > > consumption.
> > > >
> > > > > I'd argue that 1.12.4 <-> 1.12.6 should be a compatible upgrade AND
> > > > > downgrade,
> > > > > 1.12.4 -> 1.20.0 not so much.
> > > > >
> > > > > But to avoid all this is why I usually try to inline dependencies
> for
> > > > > libraries as much as possible. Basically pretending to not have
> any.
> > > > > This of course depends on whether the dependency can be isolated
> that
> > > > way.
> > > > >
> > > > > Also a point I made many times.
> > > > > Just wanted to mention it - again :)
> > > >
> > > > I think that it would be great that "Commons" has a common
> > > > policy for dealing with this (so that we don't have to repeat
> > > > ourselves every now and then).
> > > > A long time ago, the "shade" feature seemed the perfect
> > > > answer to that problem.  Yet, to avoid dependencies even
> > > > on another Commons component, several of us continue to
> > > > support the copy/paste option.
> > > >
> > >
> > > There are a few items I'd like to address in this thread so I'll start
> > with
> > > the above.
> > >
> > > I would like to offer my view on shading and copy/paste as - to borrow
> > Jeff
> > > Atwood's expression - a "coding horror". While you may think that there
> > are
> > > still edge cases where this may seem to some as necessary or
> expedient, I
> > > hope to dissuade you from these practices.
> > >
> > > The first and most obvious horror to me is the copying and pasting of
> > bugs
> > > and hard to maintain code. You may also end up taking along supporting
> > > methods and classes to support the code you copy. While this may seem
> to
> > > follow the YAGNI principle, my claim is that you can end up with an
> > iceberg
> > > of new code, where the new API surface above the water does not end up
> > > exercising all of the supporting code you had to drag along that lies
> > > below.
> > >
> > > The question where I am most curious to hear back from the copy clan
> is:
> > Do
> > > you also copy the unit tests that cover the code you copied? No? Coding
> > > horror #2.
> > >
> > > The third horror does not affect us within Apache but its general
> > practice
> > > begs its adherents to answer: Did you check the license of the code you
> > > copied? No? Coding horror #3. Again, this is not an issue within Apache
> > > projects, but the question pops up time and time again at Apache (and
> at
> > > work): Can I copy this code I found outside of Apache?
> > >
> > > The fourth and final copy horror falls in the same category as the
> first
> > > and deserves its own mention: security; and can be best understood with
> > > this question: How often do you check for CVEs for the library
> containing
> > > the code you copied? Never? Coding horror #4.
> >
> > Agreeing on all the above.
> >
> > Yet, every time there is an opportunity to engage in this wise
> > path, the copying/pasting continues and slowly grows the iceberg.
> > A recent example is the issue with pseudo-random numbers
> > generation where maintaining duplicate functionality in [Lang]
> > was preferred even though [RNG] has 100% coverage (and a
> > explicit scope that entails it will never have any dependency of
> > its own).
> >
>
> Would you be willing to provide a PR that deprecates the relevant APIs and
> points to their equivalent in RNG? It will be more cruft we can trim for
> 4.0, whenever that happens.
>
>
> > > Shading has its limited use in my view, and I've used it to provide
> > > monolithic versions of applications, but beyond that, I've no use for
> it;
> > > but the pain it can cause is very real indeed.
> > >
> > > You can imagine all manner of jar-hell created by shading.  For
> instance:
> > > - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
> > > - library L2 shades library 

Re: [all] When to update dependencies?

[Rob Tompkins]

> On Jul 24, 2020, at 11:36 AM, Gary Gregory  wrote:
> 
> On Fri, Jul 24, 2020 at 11:30 AM Rob Tompkins  wrote:
> 
>> 
>> 
>>> On Jul 24, 2020, at 9:41 AM, Torsten Curdt  wrote:
>>> 
 
 You can imagine all manner of jar-hell created by shading.  For
>> instance:
 
>>> - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
 - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
 - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't
>> no
 matter what classpath ordering it uses.
 - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't
>> no
 matter what classpath ordering it uses.
>> 
>> I agree here. Shading is quite subtle indeed and can cause Jar hell. I see
>> what you’re saying. Hm…this does indeed become interesting.
>> 
>> I suppose we need to have a standard pattern for shading when to, when not
>> to, etc. so that we can more effectively have dependency upgrade
>> automation??
>> 
>> That said, the point that you make is indeed subtle enough that unless we
>> are very simplistic with our shading, dependency upversioning and
>> compatibility can
>> become an NP-complete problem. Thus we need standards here.
>> 
> 
> My standard is simple: Don't shade if you offer a jar for reuse.
> 
> Anything offered as a FOSS jar as the potential for reuse and therefore
> becomes a potential contributor to shade hell.

Sounds like a good place to start. Don’t we shade lang into text though (could 
totally be wrong here)?

-Rob

> 
> Gary
> 
> 
>> -Rob
>> 
 
>>> 
>>> Sorry, but I cannot follow the problems you are trying to show.
>>> 
>>> L1 has ShadeA and ShadeB
>>> L2 has ShadeA and ShadeB
>>> but both have their own version that doesn't clash and that doesn't know
>>> anything about the other one.
>>> The app does not see ShadeA or ShadeB from L1 or L2 (unless it uses the
>>> hidden package from L1 which would be stupid)
>>> There are no clashes and every library uses the version that it needs.
>>> 
>>> To be more explicit. I am maintaining org.vafer.jdependency which uses
>>> org.objectweb.asm.
>>> If you look at the final jar you find
>>> 
>>> org/vafer/jdeb/shaded/objectweb/asm/*.class
>>> 
>>> The shaded classes are relocated and become part of the context of the
>>> library that is shading.
>>> A shading hell is just not possible as long as there are no classpath
>>> problems on the library itself.
>>> 
>>> It's like you are copy the code into your package.
>>> Bytecode manipulation is really not that bad as you make it to be.
>>> 
>>> Just creating uberjars (without relocation)  - that's a whole different
>>> story.
>>> That should only ever been done on the final application artifact.
>> 
>> 
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>> 
>> 


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Gary Gregory]

On Fri, Jul 24, 2020 at 11:30 AM Rob Tompkins  wrote:

>
>
> > On Jul 24, 2020, at 9:41 AM, Torsten Curdt  wrote:
> >
> >>
> >> You can imagine all manner of jar-hell created by shading.  For
> instance:
> >>
> > - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
> >> - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
> >> - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't
> no
> >> matter what classpath ordering it uses.
> >> - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't
> no
> >> matter what classpath ordering it uses.
>
> I agree here. Shading is quite subtle indeed and can cause Jar hell. I see
> what you’re saying. Hm…this does indeed become interesting.
>
> I suppose we need to have a standard pattern for shading when to, when not
> to, etc. so that we can more effectively have dependency upgrade
> automation??
>
> That said, the point that you make is indeed subtle enough that unless we
> are very simplistic with our shading, dependency upversioning and
> compatibility can
> become an NP-complete problem. Thus we need standards here.
>

My standard is simple: Don't shade if you offer a jar for reuse.

Anything offered as a FOSS jar as the potential for reuse and therefore
becomes a potential contributor to shade hell.

Gary


> -Rob
>
> >>
> >
> > Sorry, but I cannot follow the problems you are trying to show.
> >
> > L1 has ShadeA and ShadeB
> > L2 has ShadeA and ShadeB
> > but both have their own version that doesn't clash and that doesn't know
> > anything about the other one.
> > The app does not see ShadeA or ShadeB from L1 or L2 (unless it uses the
> > hidden package from L1 which would be stupid)
> > There are no clashes and every library uses the version that it needs.
> >
> > To be more explicit. I am maintaining org.vafer.jdependency which uses
> > org.objectweb.asm.
> > If you look at the final jar you find
> >
> >  org/vafer/jdeb/shaded/objectweb/asm/*.class
> >
> > The shaded classes are relocated and become part of the context of the
> > library that is shading.
> > A shading hell is just not possible as long as there are no classpath
> > problems on the library itself.
> >
> > It's like you are copy the code into your package.
> > Bytecode manipulation is really not that bad as you make it to be.
> >
> > Just creating uberjars (without relocation)  - that's a whole different
> > story.
> > That should only ever been done on the final application artifact.
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Re: [all] When to update dependencies?

[Gary Gregory]

On Fri, Jul 24, 2020 at 10:50 AM Gilles Sadowski 
wrote:

> Hello.
>
> Le ven. 24 juil. 2020 à 14:48, Gary Gregory  a
> écrit :
> >
> > On Fri, Jul 24, 2020 at 6:03 AM Gilles Sadowski 
> > wrote:
> >
> > > 2020-07-24 11:25 UTC+02:00, Torsten Curdt :
> > > > It still needs a person to decide to merge a PR for a new version.
> > > > So this indeed is just about the dependency upgrade policies.
> > > >
> > > > But isn't that what the version definition is for?
> > >
> > > Ideally.
> > > In practice, I think that all we can assume is that the version
> > > string is a quick-glance summary of changes, for human
> > > consumption.
> > >
> > > > I'd argue that 1.12.4 <-> 1.12.6 should be a compatible upgrade AND
> > > > downgrade,
> > > > 1.12.4 -> 1.20.0 not so much.
> > > >
> > > > But to avoid all this is why I usually try to inline dependencies for
> > > > libraries as much as possible. Basically pretending to not have any.
> > > > This of course depends on whether the dependency can be isolated that
> > > way.
> > > >
> > > > Also a point I made many times.
> > > > Just wanted to mention it - again :)
> > >
> > > I think that it would be great that "Commons" has a common
> > > policy for dealing with this (so that we don't have to repeat
> > > ourselves every now and then).
> > > A long time ago, the "shade" feature seemed the perfect
> > > answer to that problem.  Yet, to avoid dependencies even
> > > on another Commons component, several of us continue to
> > > support the copy/paste option.
> > >
> >
> > There are a few items I'd like to address in this thread so I'll start
> with
> > the above.
> >
> > I would like to offer my view on shading and copy/paste as - to borrow
> Jeff
> > Atwood's expression - a "coding horror". While you may think that there
> are
> > still edge cases where this may seem to some as necessary or expedient, I
> > hope to dissuade you from these practices.
> >
> > The first and most obvious horror to me is the copying and pasting of
> bugs
> > and hard to maintain code. You may also end up taking along supporting
> > methods and classes to support the code you copy. While this may seem to
> > follow the YAGNI principle, my claim is that you can end up with an
> iceberg
> > of new code, where the new API surface above the water does not end up
> > exercising all of the supporting code you had to drag along that lies
> > below.
> >
> > The question where I am most curious to hear back from the copy clan is:
> Do
> > you also copy the unit tests that cover the code you copied? No? Coding
> > horror #2.
> >
> > The third horror does not affect us within Apache but its general
> practice
> > begs its adherents to answer: Did you check the license of the code you
> > copied? No? Coding horror #3. Again, this is not an issue within Apache
> > projects, but the question pops up time and time again at Apache (and at
> > work): Can I copy this code I found outside of Apache?
> >
> > The fourth and final copy horror falls in the same category as the first
> > and deserves its own mention: security; and can be best understood with
> > this question: How often do you check for CVEs for the library containing
> > the code you copied? Never? Coding horror #4.
>
> Agreeing on all the above.
>
> Yet, every time there is an opportunity to engage in this wise
> path, the copying/pasting continues and slowly grows the iceberg.
> A recent example is the issue with pseudo-random numbers
> generation where maintaining duplicate functionality in [Lang]
> was preferred even though [RNG] has 100% coverage (and a
> explicit scope that entails it will never have any dependency of
> its own).
>

Would you be willing to provide a PR that deprecates the relevant APIs and
points to their equivalent in RNG? It will be more cruft we can trim for
4.0, whenever that happens.


> > Shading has its limited use in my view, and I've used it to provide
> > monolithic versions of applications, but beyond that, I've no use for it;
> > but the pain it can cause is very real indeed.
> >
> > You can imagine all manner of jar-hell created by shading.  For instance:
> > - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
> > - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
> > - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't
> no
> > matter what classpath ordering it uses.
> > - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't
> no
> > matter what classpath ordering it uses.
>
> I didn't understand how the problem is supposed to arise.
> Fortunately, Torsten already replied to this point. :-)
>
> Unless I'm mistaken, there is one drawback to shading: Since
> it creates new classes, there will be less shared code, hence
> one could imagine a potential hit on performance (?).
>
> > Lastly, there is a special kind of shading jar hell that deserves its own
> > section: the copied and re-packaged source/jar. In this lovely planned
> > development managed by Hades, an entire 

Re: [all] When to update dependencies?

[Rob Tompkins]

> On Jul 24, 2020, at 9:41 AM, Torsten Curdt  wrote:
> 
>> 
>> You can imagine all manner of jar-hell created by shading.  For instance:
>> 
> - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
>> - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
>> - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't no
>> matter what classpath ordering it uses.
>> - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't no
>> matter what classpath ordering it uses.

I agree here. Shading is quite subtle indeed and can cause Jar hell. I see what 
you’re saying. Hm…this does indeed become interesting.

I suppose we need to have a standard pattern for shading when to, when not to, 
etc. so that we can more effectively have dependency upgrade automation??

That said, the point that you make is indeed subtle enough that unless we are 
very simplistic with our shading, dependency upversioning and compatibility can
become an NP-complete problem. Thus we need standards here.

-Rob

>> 
> 
> Sorry, but I cannot follow the problems you are trying to show.
> 
> L1 has ShadeA and ShadeB
> L2 has ShadeA and ShadeB
> but both have their own version that doesn't clash and that doesn't know
> anything about the other one.
> The app does not see ShadeA or ShadeB from L1 or L2 (unless it uses the
> hidden package from L1 which would be stupid)
> There are no clashes and every library uses the version that it needs.
> 
> To be more explicit. I am maintaining org.vafer.jdependency which uses
> org.objectweb.asm.
> If you look at the final jar you find
> 
>  org/vafer/jdeb/shaded/objectweb/asm/*.class
> 
> The shaded classes are relocated and become part of the context of the
> library that is shading.
> A shading hell is just not possible as long as there are no classpath
> problems on the library itself.
> 
> It's like you are copy the code into your package.
> Bytecode manipulation is really not that bad as you make it to be.
> 
> Just creating uberjars (without relocation)  - that's a whole different
> story.
> That should only ever been done on the final application artifact.


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Gary Gregory]

On Fri, Jul 24, 2020 at 10:02 AM Torsten Curdt  wrote:

> >
> > You can imagine all manner of jar-hell created by shading.  For instance:
> >
> - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
> > - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
> > - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't
> no
> > matter what classpath ordering it uses.
> > - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't
> no
> > matter what classpath ordering it uses.
> >
>
> Sorry, but I cannot follow the problems you are trying to show.
>
> L1 has ShadeA and ShadeB
> L2 has ShadeA and ShadeB
> but both have their own version that doesn't clash and that doesn't know
> anything about the other one.
> The app does not see ShadeA or ShadeB from L1 or L2 (unless it uses the
> hidden package from L1 which would be stupid)
> There are no clashes and every library uses the version that it needs.
>

The key phrase is "which would be stupid" which you as a consumer have zero
control over. People do stupid things all the time.


> To be more explicit. I am maintaining org.vafer.jdependency which uses
> org.objectweb.asm.
> If you look at the final jar you find
>
>   org/vafer/jdeb/shaded/objectweb/asm/*.class
>
> The shaded classes are relocated and become part of the context of the
> library that is shading.
> A shading hell is just not possible as long as there are no classpath
> problems on the library itself.
>

And this contributes to the problem: This library has now made it
impossible to pick up a fix in ASM or just plain support for a new Java
version.

Gary


> It's like you are copy the code into your package.
> Bytecode manipulation is really not that bad as you make it to be.
>
> Just creating uberjars (without relocation)  - that's a whole different
> story.
> That should only ever been done on the final application artifact.
>

Re: [all] When to update dependencies?

[Torsten Curdt]

>
> Unless I'm mistaken, there is one drawback to shading: Since
> it creates new classes, there will be less shared code, hence
> one could imagine a potential hit on performance (?).
>

Of course it means some code duplication in the final artifact.
This means slightly bigger artifacts - but disk space is cheap.

In the worst case scenario it means some more memory gets used.
For the libraries I am looking at this is insignificant.

Same should be the case for performance.
But you never know for your use case until you measure it.

I see merely a single drawback - and that's when reflection is in the
picture.

IIRC my original minijar code did work around this for static references,
but for dynamic references you were on your own.

I think the current incarnation of the shade plugin does not support
reflection magic.
And maybe it's OK to keep it simpler.


I must be missing something: Since shaded classes are supposed
> to be "internal", if there is an impact on the public API, the only sane
> solution is a bug-fix release that shades the fixed version of the internal
> library.  No?
>

That's exactly how it works.

Re: [all] When to update dependencies?

[Stefan Bodewig]

On 2020-07-24, Bernd Eckenfels wrote:

> When it comes to dependencies wie have both problems: if we upgrade 
> dependencies to aggressively (or if we don't test with older dependencies) 
> then users have the problem that they might not easily be able to upgrade to 
> a new commons version since the required new dependency version might 
> conflict with other (thirdparty) users of that dependency.

> On the other hand if we not continuously update external dependencies we 
> might miss out on their new features, performance and fixes. In addition we 
> might fall behind and have the  to do painful Big Bang Upgrades. Also when 
> our transitive dependencies are outdated and contain bugs (or compliance 
> violations due to old code) some customers might not be happy.

I hear you. I'm not opposed to updating a dependency if we want to use
new features. What I'd like to avoid is updating without a reason other
than "there is a new version and it seems to work according to our
tests".

> So there is a middle ground to be found, which unfortunately collides with 
> the current limited effort maintenance of some of the components:

> - we should define a minimum baseline version of dependencies and runtimes 
> and on each release we check if we still meet them. When we raise the 
> baseline we should ship a new minor (or even major) version. Also we might 
> want to ship security fixes only as a micro update (I.e. not requiring major 
> updates besides the affected code)

One problem with patch updates for security releases is the release vote
will reveal a security update is in the making and the diff will be
small enough to give away the details before the vote has passed. I may
be paranoid.

> - we should regularly test against latest dependency versions (at least 
> within the same minor branch).

Apache Gump?

What you describe sounds good, but "unfortunately collides with the
current limited effort maintenance of some of the components".

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Gilles Sadowski]

Hello.

Le ven. 24 juil. 2020 à 14:48, Gary Gregory  a écrit :
>
> On Fri, Jul 24, 2020 at 6:03 AM Gilles Sadowski 
> wrote:
>
> > 2020-07-24 11:25 UTC+02:00, Torsten Curdt :
> > > It still needs a person to decide to merge a PR for a new version.
> > > So this indeed is just about the dependency upgrade policies.
> > >
> > > But isn't that what the version definition is for?
> >
> > Ideally.
> > In practice, I think that all we can assume is that the version
> > string is a quick-glance summary of changes, for human
> > consumption.
> >
> > > I'd argue that 1.12.4 <-> 1.12.6 should be a compatible upgrade AND
> > > downgrade,
> > > 1.12.4 -> 1.20.0 not so much.
> > >
> > > But to avoid all this is why I usually try to inline dependencies for
> > > libraries as much as possible. Basically pretending to not have any.
> > > This of course depends on whether the dependency can be isolated that
> > way.
> > >
> > > Also a point I made many times.
> > > Just wanted to mention it - again :)
> >
> > I think that it would be great that "Commons" has a common
> > policy for dealing with this (so that we don't have to repeat
> > ourselves every now and then).
> > A long time ago, the "shade" feature seemed the perfect
> > answer to that problem.  Yet, to avoid dependencies even
> > on another Commons component, several of us continue to
> > support the copy/paste option.
> >
>
> There are a few items I'd like to address in this thread so I'll start with
> the above.
>
> I would like to offer my view on shading and copy/paste as - to borrow Jeff
> Atwood's expression - a "coding horror". While you may think that there are
> still edge cases where this may seem to some as necessary or expedient, I
> hope to dissuade you from these practices.
>
> The first and most obvious horror to me is the copying and pasting of bugs
> and hard to maintain code. You may also end up taking along supporting
> methods and classes to support the code you copy. While this may seem to
> follow the YAGNI principle, my claim is that you can end up with an iceberg
> of new code, where the new API surface above the water does not end up
> exercising all of the supporting code you had to drag along that lies
> below.
>
> The question where I am most curious to hear back from the copy clan is: Do
> you also copy the unit tests that cover the code you copied? No? Coding
> horror #2.
>
> The third horror does not affect us within Apache but its general practice
> begs its adherents to answer: Did you check the license of the code you
> copied? No? Coding horror #3. Again, this is not an issue within Apache
> projects, but the question pops up time and time again at Apache (and at
> work): Can I copy this code I found outside of Apache?
>
> The fourth and final copy horror falls in the same category as the first
> and deserves its own mention: security; and can be best understood with
> this question: How often do you check for CVEs for the library containing
> the code you copied? Never? Coding horror #4.

Agreeing on all the above.

Yet, every time there is an opportunity to engage in this wise
path, the copying/pasting continues and slowly grows the iceberg.
A recent example is the issue with pseudo-random numbers
generation where maintaining duplicate functionality in [Lang]
was preferred even though [RNG] has 100% coverage (and a
explicit scope that entails it will never have any dependency of
its own).

> Shading has its limited use in my view, and I've used it to provide
> monolithic versions of applications, but beyond that, I've no use for it;
> but the pain it can cause is very real indeed.
>
> You can imagine all manner of jar-hell created by shading.  For instance:
> - library L1 shades library ShadedA-1.0 and ShadedB-1.1.
> - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
> - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't no
> matter what classpath ordering it uses.
> - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't no
> matter what classpath ordering it uses.

I didn't understand how the problem is supposed to arise.
Fortunately, Torsten already replied to this point. :-)

Unless I'm mistaken, there is one drawback to shading: Since
it creates new classes, there will be less shared code, hence
one could imagine a potential hit on performance (?).

> Lastly, there is a special kind of shading jar hell that deserves its own
> section: the copied and re-packaged source/jar. In this lovely planned
> development managed by Hades, an entire jar has been copied then repackaged
> such that instead of being in its original Java package org.foo.library, it
> is now under org.other.bar.org.foo.library. Residents of this charming
> cottage have now the proud owners of every bug and CVE for that specific
> version of the source jar, without, and this is the kicker, the option of
> overriding the jar with a new version (I'll leave aside your option to take
> a new version of the jar and 

Re: [all] When to update dependencies?

[Stefan Bodewig]

On 2020-07-24, Xeno Amess wrote:

> how about:
> 1. we force versions of dependencies in commons-parent
> 2. we make every commons repo use commons-parent as parent.
> 3. we make sure no other repos forces versions of dependencies; all of the
> versions number shall be inherited from commons-parent
> 4. we upgrade versions in commons-parent every several months.

As you may guess I'd be strongly opposed to this as it would mean we
updated everey few months just because we can, noot because there was a
good reason. On top no component could upgrade more agressively if it
really needed a feature of a newer version.

Apart from that I'd expect some component developers to be rather
unhappy if *anything* was forced on them. :-)

Honestly I doubt we could even find a common ground on which version of
Java to support if we tried to have one version for all components.

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Bernd Eckenfels]

Hello,

We can certainly put some dependencies in commons parent dependency management 
(and the plugins like we used to), but for a lot of stuff I don't think we will 
be able to find a common ground, and it will be quite painful if projects no 
longer can update commons parent without major testing and integration work 
(plus things like jackrabbit which is only(?) used in vfs might really be 
overhead to maintain that in a parent)


--
http://bernd.eckenfels.net

Von: Xeno Amess 
Gesendet: Friday, July 24, 2020 3:53:18 PM
An: Commons Developers List 
Betreff: Re: [all] When to update dependencies?

how about:
1. we force versions of dependencies in commons-parent
2. we make every commons repo use commons-parent as parent.
3. we make sure no other repos forces versions of dependencies; all of the
versions number shall be inherited from commons-parent
4. we upgrade versions in commons-parent every several months.

Bernd Eckenfels  于2020年7月24日周五 下午9:49写道：

> Hello,
>
> When it comes to dependencies wie have both problems: if we upgrade
> dependencies to aggressively (or if we don't test with older dependencies)
> then users have the problem that they might not easily be able to upgrade
> to a new commons version since the required new dependency version might
> conflict with other (thirdparty) users of that dependency.
>
> On the other hand if we not continuously update external dependencies we
> might miss out on their new features, performance and fixes. In addition we
> might fall behind and have the  to do painful Big Bang Upgrades. Also when
> our transitive dependencies are outdated and contain bugs (or compliance
> violations due to old code) some customers might not be happy.
>
> So there is a middle ground to be found, which unfortunately collides with
> the current limited effort maintenance of some of the components:
>
> - we should define a minimum baseline version of dependencies and runtimes
> and on each release we check if we still meet them. When we raise the
> baseline we should ship a new minor (or even major) version. Also we might
> want to ship security fixes only as a micro update (I.e. not requiring
> major updates besides the affected code)
> - we should regularly test against latest dependency versions (at least
> within the same minor branch). Dependbot could be a help here, however I do
> find it a bit annoying and not needed as I would run the dependency report
> if I have the need to find me something to work on.
>
> Gruss
> Bend
>
>
> --
> http://bernd.eckenfels.net
> 
> Von: Stefan Bodewig 
> Gesendet: Friday, July 24, 2020 3:36:36 PM
> An: Commons Developers List 
> Betreff: Re: [all] When to update dependencies?
>
> On 2020-07-24, Gary Gregory wrote:
>
> > Now back to our code depending on other dependencies. My view is that
> there
> > are bugs, you just have not hit them. If I find one in a dependency and
> it
> > gets fixed, it's going to mean a new version of that dependency.
>
> This either is "we hit a bug that affects us" - where I already say this
> is a reason to upgrade for me - or "the user hits a bug" - in which case
> I prefer to let the user update the buggy dependency. I don't want to
> force the user to update because they might be affected by bugs.
>
> And of course we both know that newer versions not only fix bugs, they
> introduce new ones as well.
>
> > Furthermore, when I look online for Javadoc and examples, if I use a
> > current jar version, then my odds are better that I can implement what I
> > find online.
>
> https://javadoc.io/ or similar services?
>
> > I view it as simpler and safer to update from a "near" dependency than
> > letting a dependency acquire "bit rot" and upgrade later, especially
> > if an update means making adjustments. I want to make smaller
> > increments of adjustment rather than a larger set. Just like I prefer
> > to RERO instead of big bangs for releasing Commons components.
>
> I fully agree with you if nobody else depends on my stuff. I.e. I'm
> working on an application rather than a library. When working on a
> library I really want the user to be and stay in control.
>
> > Another way to look at this is to look at a large software stack: If
> every
> > library developer never updates dependencies, then your application,
> > through transitive dependencies will end up depending (virtually) on many
> > versions of the each library, which is much more likely to create jar
> hell
> > and other problems than the other edge case where everyone uses the
> latest
> > version (or a fixed version.)
>
> You are just hitting home on

Re: [all] When to update dependencies?

[Xeno Amess]

how about:
1. we force versions of dependencies in commons-parent
2. we make every commons repo use commons-parent as parent.
3. we make sure no other repos forces versions of dependencies; all of the
versions number shall be inherited from commons-parent
4. we upgrade versions in commons-parent every several months.

Bernd Eckenfels  于2020年7月24日周五 下午9:49写道：

> Hello,
>
> When it comes to dependencies wie have both problems: if we upgrade
> dependencies to aggressively (or if we don't test with older dependencies)
> then users have the problem that they might not easily be able to upgrade
> to a new commons version since the required new dependency version might
> conflict with other (thirdparty) users of that dependency.
>
> On the other hand if we not continuously update external dependencies we
> might miss out on their new features, performance and fixes. In addition we
> might fall behind and have the  to do painful Big Bang Upgrades. Also when
> our transitive dependencies are outdated and contain bugs (or compliance
> violations due to old code) some customers might not be happy.
>
> So there is a middle ground to be found, which unfortunately collides with
> the current limited effort maintenance of some of the components:
>
> - we should define a minimum baseline version of dependencies and runtimes
> and on each release we check if we still meet them. When we raise the
> baseline we should ship a new minor (or even major) version. Also we might
> want to ship security fixes only as a micro update (I.e. not requiring
> major updates besides the affected code)
> - we should regularly test against latest dependency versions (at least
> within the same minor branch). Dependbot could be a help here, however I do
> find it a bit annoying and not needed as I would run the dependency report
> if I have the need to find me something to work on.
>
> Gruss
> Bend
>
>
> --
> http://bernd.eckenfels.net
> 
> Von: Stefan Bodewig 
> Gesendet: Friday, July 24, 2020 3:36:36 PM
> An: Commons Developers List 
> Betreff: Re: [all] When to update dependencies?
>
> On 2020-07-24, Gary Gregory wrote:
>
> > Now back to our code depending on other dependencies. My view is that
> there
> > are bugs, you just have not hit them. If I find one in a dependency and
> it
> > gets fixed, it's going to mean a new version of that dependency.
>
> This either is "we hit a bug that affects us" - where I already say this
> is a reason to upgrade for me - or "the user hits a bug" - in which case
> I prefer to let the user update the buggy dependency. I don't want to
> force the user to update because they might be affected by bugs.
>
> And of course we both know that newer versions not only fix bugs, they
> introduce new ones as well.
>
> > Furthermore, when I look online for Javadoc and examples, if I use a
> > current jar version, then my odds are better that I can implement what I
> > find online.
>
> https://javadoc.io/ or similar services?
>
> > I view it as simpler and safer to update from a "near" dependency than
> > letting a dependency acquire "bit rot" and upgrade later, especially
> > if an update means making adjustments. I want to make smaller
> > increments of adjustment rather than a larger set. Just like I prefer
> > to RERO instead of big bangs for releasing Commons components.
>
> I fully agree with you if nobody else depends on my stuff. I.e. I'm
> working on an application rather than a library. When working on a
> library I really want the user to be and stay in control.
>
> > Another way to look at this is to look at a large software stack: If
> every
> > library developer never updates dependencies, then your application,
> > through transitive dependencies will end up depending (virtually) on many
> > versions of the each library, which is much more likely to create jar
> hell
> > and other problems than the other edge case where everyone uses the
> latest
> > version (or a fixed version.)
>
> You are just hitting home on Stefan's almost 20 year old impression that
> automatic transitive dependency resolution is a BAD IDEA. ;-)
>
> I fully expect you (all of you) to ignore that last remark.
>
> > From a hand-waving-talking-over-beers-more-FOSS-y philosophical-POV, I'd
> > like to think that by eating our own current Apache dog food as well as
> > other FOSS dog food, we all help each other make our software better.
>
> We might help the developers of our dependencies but I'm afraid we are
> hurting our dependees - and I tend to care more for the latter.
>
> Stefan
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Re: [all] When to update dependencies?

[Bernd Eckenfels]

Hello,

When it comes to dependencies wie have both problems: if we upgrade 
dependencies to aggressively (or if we don't test with older dependencies) then 
users have the problem that they might not easily be able to upgrade to a new 
commons version since the required new dependency version might conflict with 
other (thirdparty) users of that dependency.

On the other hand if we not continuously update external dependencies we might 
miss out on their new features, performance and fixes. In addition we might 
fall behind and have the  to do painful Big Bang Upgrades. Also when our 
transitive dependencies are outdated and contain bugs (or compliance violations 
due to old code) some customers might not be happy.

So there is a middle ground to be found, which unfortunately collides with the 
current limited effort maintenance of some of the components:

- we should define a minimum baseline version of dependencies and runtimes and 
on each release we check if we still meet them. When we raise the baseline we 
should ship a new minor (or even major) version. Also we might want to ship 
security fixes only as a micro update (I.e. not requiring major updates besides 
the affected code)
- we should regularly test against latest dependency versions (at least within 
the same minor branch). Dependbot could be a help here, however I do find it a 
bit annoying and not needed as I would run the dependency report if I have the 
need to find me something to work on.

Gruss
Bend


--
http://bernd.eckenfels.net

Von: Stefan Bodewig 
Gesendet: Friday, July 24, 2020 3:36:36 PM
An: Commons Developers List 
Betreff: Re: [all] When to update dependencies?

On 2020-07-24, Gary Gregory wrote:

> Now back to our code depending on other dependencies. My view is that there
> are bugs, you just have not hit them. If I find one in a dependency and it
> gets fixed, it's going to mean a new version of that dependency.

This either is "we hit a bug that affects us" - where I already say this
is a reason to upgrade for me - or "the user hits a bug" - in which case
I prefer to let the user update the buggy dependency. I don't want to
force the user to update because they might be affected by bugs.

And of course we both know that newer versions not only fix bugs, they
introduce new ones as well.

> Furthermore, when I look online for Javadoc and examples, if I use a
> current jar version, then my odds are better that I can implement what I
> find online.

https://javadoc.io/ or similar services?

> I view it as simpler and safer to update from a "near" dependency than
> letting a dependency acquire "bit rot" and upgrade later, especially
> if an update means making adjustments. I want to make smaller
> increments of adjustment rather than a larger set. Just like I prefer
> to RERO instead of big bangs for releasing Commons components.

I fully agree with you if nobody else depends on my stuff. I.e. I'm
working on an application rather than a library. When working on a
library I really want the user to be and stay in control.

> Another way to look at this is to look at a large software stack: If every
> library developer never updates dependencies, then your application,
> through transitive dependencies will end up depending (virtually) on many
> versions of the each library, which is much more likely to create jar hell
> and other problems than the other edge case where everyone uses the latest
> version (or a fixed version.)

You are just hitting home on Stefan's almost 20 year old impression that
automatic transitive dependency resolution is a BAD IDEA. ;-)

I fully expect you (all of you) to ignore that last remark.

> From a hand-waving-talking-over-beers-more-FOSS-y philosophical-POV, I'd
> like to think that by eating our own current Apache dog food as well as
> other FOSS dog food, we all help each other make our software better.

We might help the developers of our dependencies but I'm afraid we are
hurting our dependees - and I tend to care more for the latter.

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Torsten Curdt]

>
> You can imagine all manner of jar-hell created by shading.  For instance:
>
- library L1 shades library ShadedA-1.0 and ShadedB-1.1.
> - library L2 shades library ShadedA-1.1 and ShadedB-1.0.
> - An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't no
> matter what classpath ordering it uses.
> - An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't no
> matter what classpath ordering it uses.
>

Sorry, but I cannot follow the problems you are trying to show.

L1 has ShadeA and ShadeB
L2 has ShadeA and ShadeB
but both have their own version that doesn't clash and that doesn't know
anything about the other one.
The app does not see ShadeA or ShadeB from L1 or L2 (unless it uses the
hidden package from L1 which would be stupid)
There are no clashes and every library uses the version that it needs.

To be more explicit. I am maintaining org.vafer.jdependency which uses
org.objectweb.asm.
If you look at the final jar you find

  org/vafer/jdeb/shaded/objectweb/asm/*.class

The shaded classes are relocated and become part of the context of the
library that is shading.
A shading hell is just not possible as long as there are no classpath
problems on the library itself.

It's like you are copy the code into your package.
Bytecode manipulation is really not that bad as you make it to be.

Just creating uberjars (without relocation)  - that's a whole different
story.
That should only ever been done on the final application artifact.

Re: [all] When to update dependencies?

[Stefan Bodewig]

On 2020-07-24, Gary Gregory wrote:

> Now back to our code depending on other dependencies. My view is that there
> are bugs, you just have not hit them. If I find one in a dependency and it
> gets fixed, it's going to mean a new version of that dependency.

This either is "we hit a bug that affects us" - where I already say this
is a reason to upgrade for me - or "the user hits a bug" - in which case
I prefer to let the user update the buggy dependency. I don't want to
force the user to update because they might be affected by bugs.

And of course we both know that newer versions not only fix bugs, they
introduce new ones as well.

> Furthermore, when I look online for Javadoc and examples, if I use a
> current jar version, then my odds are better that I can implement what I
> find online.

https://javadoc.io/ or similar services?

> I view it as simpler and safer to update from a "near" dependency than
> letting a dependency acquire "bit rot" and upgrade later, especially
> if an update means making adjustments. I want to make smaller
> increments of adjustment rather than a larger set. Just like I prefer
> to RERO instead of big bangs for releasing Commons components.

I fully agree with you if nobody else depends on my stuff. I.e. I'm
working on an application rather than a library. When working on a
library I really want the user to be and stay in control.

> Another way to look at this is to look at a large software stack: If every
> library developer never updates dependencies, then your application,
> through transitive dependencies will end up depending (virtually) on many
> versions of the each library, which is much more likely to create jar hell
> and other problems than the other edge case where everyone uses the latest
> version (or a fixed version.)

You are just hitting home on Stefan's almost 20 year old impression that
automatic transitive dependency resolution is a BAD IDEA. ;-)

I fully expect you (all of you) to ignore that last remark.

> From a hand-waving-talking-over-beers-more-FOSS-y philosophical-POV, I'd
> like to think that by eating our own current Apache dog food as well as
> other FOSS dog food, we all help each other make our software better.

We might help the developers of our dependencies but I'm afraid we are
hurting our dependees - and I tend to care more for the latter.

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Gary Gregory]

Hi All:

I'd like to start here by flipping the story around by looking at what we
do.

Ideally, a PR comes in for a bug with its fix and unit test. This is the
best case scenario. If the PR is green, we squash and merge, and tell
folks, yes, it will be in the next release.

At times, a message comes in that says something like "In version 1.1, I
see this behavior, it's a bug!" To which we say, "Ah, yes, this was fixed
in 1.5, please upgrade." Alternatively, we say "Ah, yes, that's a bug, may
you provide a PR? It will be in the next release".

Other times, we say "May you please try the latest version, see what
happens, and tell us?" Then pick one of the above.

Sometime I say: "I'm not going to fix this on top of 1.1 to create a 1.1.1,
I'll fix it in the current code base and it will be in the next version."

A CVE might cause an older version to be branched as in the 1.1.1 case
above but I've not seen that done here.

Now back to our code depending on other dependencies. My view is that there
are bugs, you just have not hit them. If I find one in a dependency and it
gets fixed, it's going to mean a new version of that dependency.
Furthermore, when I look online for Javadoc and examples, if I use a
current jar version, then my odds are better that I can implement what I
find online. I view it as simpler and safer to update from a "near"
dependency than letting a dependency acquire "bit rot" and upgrade later,
especially if an update means making adjustments. I want to make smaller
increments of adjustment rather than a larger set. Just like I prefer to
RERO instead of big bangs for releasing Commons components.

Another way to look at this is to look at a large software stack: If every
library developer never updates dependencies, then your application,
through transitive dependencies will end up depending (virtually) on many
versions of the each library, which is much more likely to create jar hell
and other problems than the other edge case where everyone uses the latest
version (or a fixed version.)

>From a hand-waving-talking-over-beers-more-FOSS-y philosophical-POV, I'd
like to think that by eating our own current Apache dog food as well as
other FOSS dog food, we all help each other make our software better.

Gary


On Fri, Jul 24, 2020 at 4:04 AM Stefan Bodewig  wrote:

> Hi all
>
> here I'd like to explain why I prefer not to update dependencies just
> because we can. Maybe you can convince me that I'm wrong. I've tried to
> make this point in different threads but either it has been lost or it
> just wasn't worth discussing.
>
> First of all let me get a few things out of the way
>
> * I'm not talking about emails, I can deal with them
>
> * I don't care whether a bot or a human asks for a version update
>
> * I'm only talking about dependencies that are visible to our
>   users. Test time dependencies or versions of Maven plugins are
>   probably not an issue. Although Compress has mananaged to break its
>   OSGi bundle just by upgrading the parent POM in the past.
>   https://issues.apache.org/jira/browse/COMPRESS-498
>
> All our components have downstream users. I.e. our dependencies become
> somebody else's dependencies as well.
>
> Let's say commons-foo 1.1.0 depends on A 1.12.4 and bumps the dependency
> to A 1.12.18 for commons-foo 1.2.0.
>
> When a user of commons-foo upgrades to 1.2.0 and hasn't defined their
> dependency on A explicitly they will also upgrade A to 1.12.18. This may
> be fine or it may cause problems. The new version of A may have made
> incompatible changes that break the user's code or it may just have bugs
> that were not present in A 1.12.4 and now raise their head.
>
> Of course the users can explicitly state a dependency on A 1.12.4
> themselves. But there is no guarantee commons-foo compiled against A
> 1.12.18 will still work with A 1.12.4.
>
> About fifteen years ago Ant was bitten by StringBuffer adding a new
> method append(StringBuffer) in Java 1.4 (if memory serves me
> right). Code that called someStringBuffer.append(anotherStringBuffer)
> compiled on Java 1.3 would call append(Object), but compiled on 1.4 it
> would call the new version and thus could not run on Java 1.3. This is
> the kind of change animal sniffer was invented to detect and the
> --release option of javac deals with. There is no such tool helping us
> with APIs that are not part of the Java classlib.
>
> Therefore I believe updating a dependency is a risk and we should leave
> it to the users to decide which version they want to use.
>
> Unless we've got real reasons to update. Real reasons IMHO are security
> issues, bugs in dependencies causing bugs in our code or when we really
> want to use new features introduced in a new version.
>
> Outside of these good reasons I wouldn't want to ever update a
> dependency.
>
> Stefan
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, 

Re: [all] When to update dependencies?

[Gary Gregory]

On Fri, Jul 24, 2020 at 6:03 AM Gilles Sadowski 
wrote:

> 2020-07-24 11:25 UTC+02:00, Torsten Curdt :
> > It still needs a person to decide to merge a PR for a new version.
> > So this indeed is just about the dependency upgrade policies.
> >
> > But isn't that what the version definition is for?
>
> Ideally.
> In practice, I think that all we can assume is that the version
> string is a quick-glance summary of changes, for human
> consumption.
>
> > I'd argue that 1.12.4 <-> 1.12.6 should be a compatible upgrade AND
> > downgrade,
> > 1.12.4 -> 1.20.0 not so much.
> >
> > But to avoid all this is why I usually try to inline dependencies for
> > libraries as much as possible. Basically pretending to not have any.
> > This of course depends on whether the dependency can be isolated that
> way.
> >
> > Also a point I made many times.
> > Just wanted to mention it - again :)
>
> I think that it would be great that "Commons" has a common
> policy for dealing with this (so that we don't have to repeat
> ourselves every now and then).
> A long time ago, the "shade" feature seemed the perfect
> answer to that problem.  Yet, to avoid dependencies even
> on another Commons component, several of us continue to
> support the copy/paste option.
>

There are a few items I'd like to address in this thread so I'll start with
the above.

I would like to offer my view on shading and copy/paste as - to borrow Jeff
Atwood's expression - a "coding horror". While you may think that there are
still edge cases where this may seem to some as necessary or expedient, I
hope to dissuade you from these practices.

The first and most obvious horror to me is the copying and pasting of bugs
and hard to maintain code. You may also end up taking along supporting
methods and classes to support the code you copy. While this may seem to
follow the YAGNI principle, my claim is that you can end up with an iceberg
of new code, where the new API surface above the water does not end up
exercising all of the supporting code you had to drag along that lies
below.

The question where I am most curious to hear back from the copy clan is: Do
you also copy the unit tests that cover the code you copied? No? Coding
horror #2.

The third horror does not affect us within Apache but its general practice
begs its adherents to answer: Did you check the license of the code you
copied? No? Coding horror #3. Again, this is not an issue within Apache
projects, but the question pops up time and time again at Apache (and at
work): Can I copy this code I found outside of Apache?

The fourth and final copy horror falls in the same category as the first
and deserves its own mention: security; and can be best understood with
this question: How often do you check for CVEs for the library containing
the code you copied? Never? Coding horror #4.

Shading has its limited use in my view, and I've used it to provide
monolithic versions of applications, but beyond that, I've no use for it;
but the pain it can cause is very real indeed.

You can imagine all manner of jar-hell created by shading.  For instance:
- library L1 shades library ShadedA-1.0 and ShadedB-1.1.
- library L2 shades library ShadedA-1.1 and ShadedB-1.0.
- An app wants to use L1, L2, ShadedA-1.1, and ShadedB-1.1 but it can't no
matter what classpath ordering it uses.
- An app wants to use L1, L2, ShadedA-1.0, and ShadedB-1.0 but it can't no
matter what classpath ordering it uses.

Lastly, there is a special kind of shading jar hell that deserves its own
section: the copied and re-packaged source/jar. In this lovely planned
development managed by Hades, an entire jar has been copied then repackaged
such that instead of being in its original Java package org.foo.library, it
is now under org.other.bar.org.foo.library. Residents of this charming
cottage have now the proud owners of every bug and CVE for that specific
version of the source jar, without, and this is the kicker, the option of
overriding the jar with a new version (I'll leave aside your option to take
a new version of the jar and repackaging it yourself to put it in front of
the shaded jar.) I've seen this in various libraries that shade
bytecode manipulation libraries that you can't use on new Java versions.

I hope this helps someone...

Gary


> Gilles
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Re: [all] When to update dependencies?

[Stefan Bodewig]

On 2020-07-24, Torsten Curdt wrote:

> It still needs a person to decide to merge a PR for a new version.
> So this indeed is just about the dependency upgrade policies.

Right.

> But isn't that what the version definition is for?
> I'd argue that 1.12.4 <-> 1.12.6 should be a compatible upgrade AND
> downgrade,
> 1.12.4 -> 1.20.0 not so much.

As Gary pointed out else-thread most of the time we do not know how
strict the team developing our dependency adheres to SemVer.

Even if it was completely API compatible, we'd replace a version that
worked for our users with a different version that may introduce
problems. No matter how small the risk is, what is the benefit of
upgrading if we don't need the new version ourselves?

> But to avoid all this is why I usually try to inline dependencies for
> libraries as much as possible. Basically pretending to not have any.

Agreed, this is a different strategy that makes the whole question moot.

> Also a point I made many times.
> Just wanted to mention it - again :)

;-)

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Gilles Sadowski]

2020-07-24 11:25 UTC+02:00, Torsten Curdt :
> It still needs a person to decide to merge a PR for a new version.
> So this indeed is just about the dependency upgrade policies.
>
> But isn't that what the version definition is for?

Ideally.
In practice, I think that all we can assume is that the version
string is a quick-glance summary of changes, for human
consumption.

> I'd argue that 1.12.4 <-> 1.12.6 should be a compatible upgrade AND
> downgrade,
> 1.12.4 -> 1.20.0 not so much.
>
> But to avoid all this is why I usually try to inline dependencies for
> libraries as much as possible. Basically pretending to not have any.
> This of course depends on whether the dependency can be isolated that way.
>
> Also a point I made many times.
> Just wanted to mention it - again :)

I think that it would be great that "Commons" has a common
policy for dealing with this (so that we don't have to repeat
ourselves every now and then).
A long time ago, the "shade" feature seemed the perfect
answer to that problem.  Yet, to avoid dependencies even
on another Commons component, several of us continue to
support the copy/paste option.

Gilles

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [all] When to update dependencies?

[Torsten Curdt]

It still needs a person to decide to merge a PR for a new version.
So this indeed is just about the dependency upgrade policies.

But isn't that what the version definition is for?
I'd argue that 1.12.4 <-> 1.12.6 should be a compatible upgrade AND
downgrade,
1.12.4 -> 1.20.0 not so much.

But to avoid all this is why I usually try to inline dependencies for
libraries as much as possible. Basically pretending to not have any.
This of course depends on whether the dependency can be isolated that way.

Also a point I made many times.
Just wanted to mention it - again :)