In either case, with Maven 2, the solution (as far as I know) is
simply to directly declare your dependency on Bob's Ace Logger v1.0.1.
Then you'll get that version.

- Stephen

On 6/30/06, Graham Lea <[EMAIL PROTECTED]> wrote:
Hi all

I am new to using Maven2 and am concerned about the behaviour of
transitive dependencies.
In particular, I foresee certain situations where automated transitive
dependencies, controlled by a third party, could be a Bad Thing.
I have documented two such situations below.
If anybody knows of and can explain ways in which Maven attempts to
handle or allows someone to themselves account for these kinds of
situations, I would be most appreciative if you could describe it or
give a reference. (Not to source code, please.) ;-)

Thanks very much,

Graham.


*Scenario One*
1. Bob makes Bob's Ace Logger, v1.0
2. Sally makes Sally's Awesome Web Framework, v2.0, and it depends on
Bob's Ace Logger v1.0
3. I tell Maven I want Sally's Awesome Web Framework, v2.0, and it
automatically downloads both it and Bob's Ace Logger v1.0
4. Bob realises there is a crucial security flaw in v1.0 of his logger,
fixes it and releases 1.0.1, which is interface- and
functionally-compatible with 1.0
5. Sally doesn't know about Bob's security flaw or the update
6. Because Sally never updates her POM, my application continues to use
the flawed logger


*Scenario Two
*/(1-4 are the same)/*
*/1. Bob makes Bob's Ace Logger, v1.0
2. Sally makes Sally's Awesome Web Framework, v2.0, and it depends on
Bob's Ace Logger v1.0
3. I tell Maven I want Sally's Awesome Web Framework, v2.0, and it
automatically downloads both it and Bob's Ace Logger v1.0
4. Bob realises there is a crucial security flaw in v1.0 of his logger,
fixes it and releases 1.0.1, which is interface- and
functionally-compatible with 1.0
/ 5. Sally has been working on Sally's Awesome Web Framework, v3.0, and
changes it to use the updated Bob's Ace Logger v1.0.1
6. For reasons known only to my manager, I am not allowed to upgrade to
Sally's v3.0 framework, so have to continue using 2.0, which relies on
Bob's flawed Logger 1.0




--
Stephen Duncan Jr
www.stephenduncanjr.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to