On Sun, May 25, 2008 at 5:28 PM, Giovanni Azua <[EMAIL PROTECTED]> wrote:
> Hi Simon, > > Many thanks to you all for the replies! > > The issue here is reliability and reproducibility of the builds. > > 1) Locking down versions is needed for reproducibility of the builds. If > maven decides silently for you what the resolution of conflicts is going to > be, most likely you will end up with a runtime time bomb just waiting to > blow. Very likely one of the two dependencies (A or B) will fail with > whatever the C selected version C is. IMO the most sensitive thing to do in > this scenario would be to have maven breaking the build explaining the > conflict and letting the user fix the dependencies. If maven silently > decides, the only provision developers have against runtime troubles is > having high test coverage in place, assuming high test coverage is usually > wishful thinking. > That won't work if the source of your conflict is a third party dependency. If you need to lock down, use version ranges > > 2) Using md5sum is a safer way to ensure that the same specific release is > being pulled e.g. an scenario like the one explained in the OP. Using > md5sum > also favors reproducibility, and it is specially useful in places where the > same release version of a component is re-released several times (I work in > one of those places) whereas in maven it implies you diligently provide a > new different version each time. AFAIK there is nothing in Maven that > prevents from re-releasing the same version number/label several times, > therefore it is a Pandora Box against reproducibility of builds. > md5sum is not easy to type. version is and it is reproducible > > Many thanks! > > Best regards, > Giovanni > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
