Orjan Austvold wrote:
During the last 8-10 months we have experienced several updates in
already released artifacts in the maven repository at Ibiblio. Many of
these has been caused by reports to Maven evangelism.
For us this has been extremely problematic since the time of download of
dependencies causes developers to have different POMs in their local
repository. For us this has caused our projects to produce different
builds dependent on which developer made the build and at which time the
build was made.
Personally I strongly believe in once an artifact has been released --
with or without errors in the artifacts POM -- it should be left in the
state it's in. If a change is required due to a malformed POM, a missing
groupId, non-existing parent, missing dependency, wrong scope of a
dependency or the alike, it should be left in the state it is in. If an
update is required a new version should be released.
For projects that use Maven for building and releasing your idea is
good. But for projects that does not have a POM of their own this
doesn't work. Most of the issues in MEV are for projects without POMs.
The POMs that get uploaded to these issues are often not made by the
people *responsible* for the project but by people *using* the project.
Because of this errors do occur in these POMs more often than one would
like.
Due to the instability of released artifacts at Ibiblio we are now
considering setting up our own repository (not a mirror and not a
maven-proxy repository) to gain complete control over changes in
released POMs. Of course this is not the intention of Maven 2.
If you have strict requirements on reproducible builds this is sounds
like a good plan. If you don't have that many dependencies it should not
require so much work.
--
Dennis Lundberg
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
