[jira] [Comment Edited] (MGPG-111) Clean upn dependency declarations

2024-03-15 Thread Tamas Cservenak (Jira) 


[ 
https://issues.apache.org/jira/browse/MGPG-111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17827428#comment-17827428
 ] 

Tamas Cservenak edited comment on MGPG-111 at 3/15/24 8:06 AM:
---

This is the best I can (and feel right):
{noformat}
[INFO] --- dependency:3.6.1:analyze (default-cli) @ maven-gpg-plugin ---
[WARNING] Used undeclared dependencies found:
[WARNING]    com.kohlschutter.junixsocket:junixsocket-common:jar:2.9.0:compile
[WARNING] Unused declared dependencies found:
[WARNING]    com.kohlschutter.junixsocket:junixsocket-core:pom:2.9.0:compile
[WARNING]    org.codehaus.plexus:plexus-cipher:jar:2.0:compile {noformat}
As explained: junixsocket tells you to use the POM dependency (that brings in 
one java and one native dependency). Analyze sense java one as "undeclared but 
used" (is used), and completely misses the native one, while tells that 
directly added POM is unused.

Also commented that plexus-sec-dispatcher and plexus-cipher simply "must go 
both" (together).


was (Author: cstamas):
This is the best I can (and feel right):
{noformat}
[INFO] --- dependency:3.6.1:analyze (default-cli) @ maven-gpg-plugin ---
[WARNING] Used undeclared dependencies found:
[WARNING]    com.kohlschutter.junixsocket:junixsocket-common:jar:2.9.0:compile
[WARNING] Unused declared dependencies found:
[WARNING]    com.kohlschutter.junixsocket:junixsocket-core:pom:2.9.0:compile
[WARNING]    org.codehaus.plexus:plexus-cipher:jar:2.0:compile {noformat}
As explained: junixsocket tells you to use the POM dependency (the brings in 
one java and one native), the analyze sense one java that is "undeclared but 
used" (is used), and completely misses the native one, while tells that POM is 
unused.

Also commented that plexus-sec-dispatcher and plexus-cipher simply "must go 
both" (together).

> Clean upn dependency declarations
> -
>
> Key: MGPG-111
> URL: https://issues.apache.org/jira/browse/MGPG-111
> Project: Maven GPG Plugin
>  Issue Type: Dependency upgrade
>Reporter: Elliotte Rusty Harold
>Assignee: Tamas Cservenak
>Priority: Minor
> Fix For: 3.2.1
>
>
> [WARNING] Used undeclared dependencies found:
> [WARNING]org.apache.maven:maven-artifact:jar:3.9.6:provided
> [WARNING]org.apache.maven:maven-settings:jar:3.9.6:provided
> [WARNING]com.kohlschutter.junixsocket:junixsocket-common:jar:2.9.0:compile
> [WARNING]org.apache.maven.resolver:maven-resolver-impl:jar:1.9.18:provided
> [WARNING] Unused declared dependencies found:
> [WARNING]com.kohlschutter.junixsocket:junixsocket-core:pom:2.9.0:compile
> [WARNING]org.codehaus.plexus:plexus-cipher:jar:2.0:compile



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (MGPG-111) Clean upn dependency declarations

2024-03-09 Thread Elliotte Rusty Harold (Jira) 


[ 
https://issues.apache.org/jira/browse/MGPG-111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17824936#comment-17824936
 ] 

Elliotte Rusty Harold edited comment on MGPG-111 at 3/9/24 12:42 PM:
-

Interesting blog article. After reading it, I'm not surprised that 
maven-dependency-analyzer doesn't pick up "dependency grouping". It's 
essentially a hack that  uses undeclared transitive dependencies instead of 
declared direct dependencies,. I suppose you might make a case for that, but 
it's the opposite of what maven-dependency-plugin: analyze is trying to check. 
My personal opinion is that developers should bite the bullet and declare all 
their direct dependencies and only direct dependencies. Use a BOM to set 
versions of related projects, but not to add dependencies to the tree.

Anything else runs counter to the design of Maven and the Maven repository 
system, and will cause more problems than it solves.The design of the Maven 
repo system is far from perfect, but it's what we've got, and we can't hack 
changes into it. Anything better would require a complete rethink of everything 
beyond jar files and classpaths. It's the classic antipattern of someone 
wishing the system were other than it is, and trying to pound the round peg 
into a square hole by using a bigger hammer. Other examples of this antipattern 
include "functional" programming in Java, various schemes to avoid declaring 
and handling checked exceptions, and any number of faster XML parsers that 
achieve speed by changing or subsetting the XML spec.  


was (Author: elharo):
Interesting blog article. After reading it, I'm not surprised that 
maven-dependency-analyzer doesn't pick up "dependency grouping". It's 
essentially a hack that  uses undeclared transitive dependencies instead of 
declared direct dependencies,. I suppose you might make a case for that, but 
it's the opposite of what maven-dependency-plugin: analyze is trying to check. 
My personal opinion is that developers should bite the bullet and declare all 
their direct dependencies and only direct dependencies. Use a BOM to set 
versions of related projects, but not to add dependencies to the tree. 

> Clean upn dependency declarations
> -
>
> Key: MGPG-111
> URL: https://issues.apache.org/jira/browse/MGPG-111
> Project: Maven GPG Plugin
>  Issue Type: Dependency upgrade
>Reporter: Elliotte Rusty Harold
>Priority: Minor
>
> [WARNING] Used undeclared dependencies found:
> [WARNING]org.apache.maven:maven-artifact:jar:3.9.6:provided
> [WARNING]org.apache.maven:maven-settings:jar:3.9.6:provided
> [WARNING]com.kohlschutter.junixsocket:junixsocket-common:jar:2.9.0:compile
> [WARNING]org.apache.maven.resolver:maven-resolver-impl:jar:1.9.18:provided
> [WARNING] Unused declared dependencies found:
> [WARNING]com.kohlschutter.junixsocket:junixsocket-core:pom:2.9.0:compile
> [WARNING]org.codehaus.plexus:plexus-cipher:jar:2.0:compile



--
This message was sent by Atlassian Jira
(v8.20.10#820010)