On 02/08/2010 11:00 AM, Nicola Musatti wrote:
Shan Syed wrote:
ok, thanks
basically for liability reasons for a certain project, we have to
provide
specific times of when a project was built and when/where all its
dependencies were retrieved at/from
we have to ensure a sanitary build for all these JARs and a complete
log of
going from 0 to 100 for the build; so we are faced with either
clearing out
the .m2 each time
I was wondering if there was a way to force this through maven
I'd say there are two sides to your problem: one is how to control
when third-party artifacts are downloaded from remote repositories and
the other is to control when and from which sources your own artifacts
are built.
One way to tackle the first problem is to use a repository manager
like nexus, but not its proxying capabilities. Instead third party
artifacts could be added to a specific repository by hand.
Using a repository is always a good idea. In practical terms, I am not
sure if the source of the download is all that important in most cases
since the come from Maven Central most of the time and you can not
easily tell the client who actually put the jar file in Maven Central or
even what company the person worked for.
This may be a case where the client started out with a good idea
(control who is building components that the "prime" contractor is using
but as Maven gets more popular, Maven Central becomes an easy place to
get things even if it is not the home of the author.
The idea of setting up Nexus (or some other proxy) and only using the
manual upload to feed it, will go a long way to giving the client a
comfortable feeling that you do know where and when you got your components.
You would not have to worry about individual .m2 contents since the
downloads would all be distributed centrally from your repo.
This would speed up the builds tremendously.
For the second problem you could use a specifically tailored aggregate
project that included all of the jars you need to build, so that none
would be retrieved from repositories. If you are using Subversion for
version control you could use svn:externals to automatically check out
of your projects.
We do this with our third party libraries and it ensures that developers
build with the "right" version which is more important than the client
knowing, in our case.
We do have a set of versioned POM files that can be provided to anyone
who wants to know what libraries (and their versions) were used to
build any particular version of our application.
We do not change the version of third-party software in the POMs within
a version of our software so builds within a release are all built with
the same set of dependencies.
If we did need to change the version of a third-party package, that
would trigger a new minor version of out application.
We do not track the actual download from Maven Central or our manual
uploads for artifacts not in Maven Central. That is only done once per
artifact version.
I am not sure if Nexus could report this activity if we did want to
track it. There might be logs available.
Once you stop individuals from accessing the dependencies directly
without controls, it gets much easier to track dependencies to the level
that your client wants.
It also makes the POM of our artifacts very small since they only depend
on a few aggregate projects.
Cheers,
Nicola Musatti
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
