Hi Simon, Many thanks to you all for the replies!
The issue here is reliability and reproducibility of the builds. 1) Locking down versions is needed for reproducibility of the builds. If maven decides silently for you what the resolution of conflicts is going to be, most likely you will end up with a runtime time bomb just waiting to blow. Very likely one of the two dependencies (A or B) will fail with whatever the C selected version C is. IMO the most sensitive thing to do in this scenario would be to have maven breaking the build explaining the conflict and letting the user fix the dependencies. If maven silently decides, the only provision developers have against runtime troubles is having high test coverage in place, assuming high test coverage is usually wishful thinking. 2) Using md5sum is a safer way to ensure that the same specific release is being pulled e.g. an scenario like the one explained in the OP. Using md5sum also favors reproducibility, and it is specially useful in places where the same release version of a component is re-released several times (I work in one of those places) whereas in maven it implies you diligently provide a new different version each time. AFAIK there is nothing in Maven that prevents from re-releasing the same version number/label several times, therefore it is a Pandora Box against reproducibility of builds. Many thanks! Best regards, Giovanni --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
