On Wednesday, 31. January 2024, 16:34:22 CET Mansour Al Akeel wrote:
> We have a large number of legacy dependencies that we need to sign. I am
> trying to cache those that are not signed into an internal repository to
> reduce build time.
>
> So I created another project to sign them and load them into our private
> repository. I am using a classifier to indicate the signed ones. For
> example, <classifier>signed</classifier>. Those are pulled properly.
> However, those dependencies have many transitive dependencies that are
> signed as well, but not pulled. The reason is because in the original pom,
> they point to the unsigned ones.
>
> What is the best (maven) way to resolve this? I can simply ignore the
> classifier part I guess as a simple solution.
>
> I will appreciate a better approach.
Using the classifier is a really bad choice, since it is used for all kind of
supplemental artifacts, like source, javadoc, etc. and it will spoil
completely any kind of transitive dependency management.
You may instead use own versions, just append "-signed" to it. While you have
now still the old version in the poms, you can have yourself common a parent
pom that declares all required dependencies in a dependencyManagement section.
Here you can also overwrite the version to use (the one with the postfix) for
each dependency transitively. Now you can declare in your projects still the
directly required dependencies and you will nevertheless get anything that is
required transitively. And you will immediately see, if something unsigned is
used looking at the dependency tree.
Downside is, that you will always have to monitor, what other/new transitive
dependencies are used, when you want to update one of your directly used ones.
But with your signing you will have to do this anyway.
As best practice: Declare the versions with properties and do never declare
directly any version the dependencies of a local pom, just omit the version
element completely. As benefit you're able to overwrite any version from
command line using that property.
You may even have a profile to build anything with unsigned dependencies. Just
declare the postfix itself as property that can be overwritten e.g. using a
profile:
<profiles>
<profile>
<id>unsigned<id>
<properties>
<version.postfix/>
</properties>
</profile>
</profiles>
<properties>
<version.postfix>-signed</version.postfix>
<version.commons-lang>2-6${version.postfix}</version.commons-lang>
</properties>
Regards,
Jörg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
