What you're saying sounds reasonable, I agree. Still waiting for
Enforcer 1.0 release to take advantage of requirePluginVersions,
though :-) Any updates, Brian?
My original attempt at this started from reading the users list and
docs about version ranges. Whenever version ranges were mentioned in
Mavenland it stated that a plain version was a recommendation, while a
plain version surrounded by brackets was a requirement ("locked down"
version). From my tiny experiment here, and people's responses, I take
it that just a plain version will achieve what I want for plugins.
I'll start implementing this for our POMs.
Thanks for all your input.
On Sun, Jul 6, 2008 at 9:36 AM, Wouter Hermeling <[EMAIL PROTECTED]> wrote:
>
> Imo version ranges are best used for developing plugins, more specifically
> plugin dependencies. By using a version range for a dependency rather then a
> specific version, the plugin can be more easily used in a different poms
> using different versions of dependencies.
>
> I've done a full lock down of plugin versions by specifying the actual
> version and not the version range in the pom.xml. The maven-enforce-plugin
> and specifically the rule 'requirePluginVersions' can help you with this.
>
>
>
> Jan Fredrik Wedén wrote:
>>
>> Greetings,
>>
>> I'm attempting to follow best practice and lock down plugins in our
>> parent POM. From what I understand, I should use a version range
>> instead of a plain version number to accomplish a true lock down for
>> future reproducibility. E.g. for the clean plugin I would use [2.2]
>> instead of just 2.2 as Maven considers the latter to be a
>> recommendation rather than a requirement.
>>
>> Now trouble starts, I attempt to put the pluginManagement section
>> below in my POM and execute mvn clean. From the output below it seems
>> like Maven is attempting to resolve the version as "[2.2]" instead of
>> resolving the range to a fixed version first. The same thing happens
>> when I try to add the plugin definitions to <build><plugins> instead.
>> However, a version range in my dependencies section resolves like a
>> charm. Could be that I've not understood how plugin lock down should
>> work, though...
>>
>> I'm running Maven 2.0.9 on Windows JDK 1.5 through Cygwin. We have set
>> up Proximity as a corporate proxy and I have followed the guide in the
>> Sonatype book to configure repositories and mirrors in my settings.
>>
>> Adding this block to my POM:
>>
>> <pluginManagement>
>> <plugins>
>> <plugin>
>> <groupId>org.apache.maven.plugins</groupId>
>> <artifactId>maven-clean-plugin</artifactId>
>> <version>[2.2]</version>
>> </plugin>
>> </plugins>
>> </pluginManagement>
>>
>> Produces the output below:
>>
>> $ mvn clean -N
>> [INFO] Scanning for projects...
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO] Building CORP parent POM
>> [INFO] task-segment: [clean]
>> [INFO]
>> ------------------------------------------------------------------------
>> Downloading:
>> http://corp-server/proximity/repository/external/org/apache/maven/plugins/maven-clean-plugin/[2.2]/maven-clean-plugin-[2.2].pom
>> Downloading:
>> http://corp-server/proximity/repository/public/org/apache/maven/plugins/maven-clean-plugin/[2.2]/maven-clean-plugin-[2.2].pom
>> [INFO]
>> ------------------------------------------------------------------------
>> [ERROR] BUILD ERROR
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO] Failed to resolve artifact.
>>
>> GroupId: org.apache.maven.plugins
>> ArtifactId: maven-clean-plugin
>> Version: [2.2]
>>
>> Reason: Unable to download the artifact from any repository
>>
>> org.apache.maven.plugins:maven-clean-plugin:pom:[2.2]
>>
>> from the specified remote repositories:
>> px-external (http://corp-server/proximity/repository/external),
>> px-public (http://corp-server/proximity/repository/public)
>>
>>
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO] For more information, run Maven with the -e switch
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO] Total time: 1 second
>> [INFO] Finished at: Thu Jul 03 16:16:54 CEST 2008
>> [INFO] Final Memory: 2M/63M
>> [INFO]
>> ------------------------------------------------------------------------
>>
>>
>> Any clues?
>>
>> --
>> - Jan Fredrik Wedén
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Lock-down-of-plugin-versions-tp18260685p18299612.html
> Sent from the Maven - Users mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
- Jan Fredrik Wedén
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
