Imo version ranges are best used for developing plugins, more specifically plugin dependencies. By using a version range for a dependency rather then a specific version, the plugin can be more easily used in a different poms using different versions of dependencies.
I've done a full lock down of plugin versions by specifying the actual version and not the version range in the pom.xml. The maven-enforce-plugin and specifically the rule 'requirePluginVersions' can help you with this. Jan Fredrik Wedén wrote: > > Greetings, > > I'm attempting to follow best practice and lock down plugins in our > parent POM. From what I understand, I should use a version range > instead of a plain version number to accomplish a true lock down for > future reproducibility. E.g. for the clean plugin I would use [2.2] > instead of just 2.2 as Maven considers the latter to be a > recommendation rather than a requirement. > > Now trouble starts, I attempt to put the pluginManagement section > below in my POM and execute mvn clean. From the output below it seems > like Maven is attempting to resolve the version as "[2.2]" instead of > resolving the range to a fixed version first. The same thing happens > when I try to add the plugin definitions to <build><plugins> instead. > However, a version range in my dependencies section resolves like a > charm. Could be that I've not understood how plugin lock down should > work, though... > > I'm running Maven 2.0.9 on Windows JDK 1.5 through Cygwin. We have set > up Proximity as a corporate proxy and I have followed the guide in the > Sonatype book to configure repositories and mirrors in my settings. > > Adding this block to my POM: > > <pluginManagement> > <plugins> > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-clean-plugin</artifactId> > <version>[2.2]</version> > </plugin> > </plugins> > </pluginManagement> > > Produces the output below: > > $ mvn clean -N > [INFO] Scanning for projects... > [INFO] > ------------------------------------------------------------------------ > [INFO] Building CORP parent POM > [INFO] task-segment: [clean] > [INFO] > ------------------------------------------------------------------------ > Downloading: > http://corp-server/proximity/repository/external/org/apache/maven/plugins/maven-clean-plugin/[2.2]/maven-clean-plugin-[2.2].pom > Downloading: > http://corp-server/proximity/repository/public/org/apache/maven/plugins/maven-clean-plugin/[2.2]/maven-clean-plugin-[2.2].pom > [INFO] > ------------------------------------------------------------------------ > [ERROR] BUILD ERROR > [INFO] > ------------------------------------------------------------------------ > [INFO] Failed to resolve artifact. > > GroupId: org.apache.maven.plugins > ArtifactId: maven-clean-plugin > Version: [2.2] > > Reason: Unable to download the artifact from any repository > > org.apache.maven.plugins:maven-clean-plugin:pom:[2.2] > > from the specified remote repositories: > px-external (http://corp-server/proximity/repository/external), > px-public (http://corp-server/proximity/repository/public) > > > [INFO] > ------------------------------------------------------------------------ > [INFO] For more information, run Maven with the -e switch > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 1 second > [INFO] Finished at: Thu Jul 03 16:16:54 CEST 2008 > [INFO] Final Memory: 2M/63M > [INFO] > ------------------------------------------------------------------------ > > > Any clues? > > -- > - Jan Fredrik Wedén > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Lock-down-of-plugin-versions-tp18260685p18299612.html Sent from the Maven - Users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
