Jukka Zitting wrote: > Hi, > > On Sun, Sep 20, 2009 at 10:19 PM, Marshall Schor <m...@schor.com> wrote: >> After thinking about this for a while, and considering both methods, I >> think the most reliable way to handle 3rd party Jars is to manually put >> them into the lib/ directory, once, and then check the lib/ directory >> into SVN. This avoids build issues in the future which could occur if >> the Jar obtained from the maven dependency plugin is somehow corrupted, >> or changes level, etc. Also, having the Jars in SVN insures that >> whatever work we do to update the LICENSE/NOTICE files for those Jars >> remains valid (because the Jar doesn't (potentially) change). > > By policy non-SNAPSHOT artifact in the Maven repository never change, > and each artifact is accompanied by checksums that guard against > corruption. It's possible for a user to mess up the files in their > local Maven repository, but it's probably just as likely that they'd > mess up any files in ./lib. > > To me the proposed solution sounds like extra effort with little or no > benefit.
One benefit I see is that you have only one NOTICE/LICENSE file for the source and binary distribution. What's more, if your source distribution does not include the dependencies and you therefore don't mention them in your NOTICE/LICENSE files, it might come as a surprise to users that the build pulls in all those files they didn't know about (or they don't even notice, which would be even worse). --Thilo > > BR, > > Jukka Zitting
