If that is true, Why I see groupid is org.holoeverywhere in the maven central?
On Thursday, August 7, 2014 5:09:32 PM UTC-4, William Ferguson wrote: > > Xavier, that would be fine if it every developer was a solo developer AND > they only ever used libraries directly and never transitively. But both of > those cases are clearly false. > > Yes, the HoloEverywhere versions are only available via the repo they are > publishing on Github. But that it much more visible and more reachable than > the version that are being distributed by the Android team which are only > visible once you have manually downloaded those versions via the SDK > Manager and then manually deployed them to your local Maven repository. > > Maven GAVs are supposed to be unique. Once Maven finds a match it stops > looking. So if the HoloEverywhere artifacts get into your repository first > there is no chance of the real artifacts being downloaded (even if they > were available on a public repo). Here's 2 ways that can happen: > > 1) You use a shared repository manager. Someone else has a project that > explicitly references the HE GitHub repo and the HE artifacts. They build > their project first and pollute the repository manager with the HE > artifacts. > > 2) You use an Android library X. It (or one of its dependencies) lists an > explicit reference to the HE Github repo. If you build a project using X > before manually populating your Maven repo with the official support > libraries you will have polluted your local Maven repo with the HE > artifacts. > > So there really isn't any red flag. > Even acting independently with best intent you have made yourself a > unknowing victim. > > This could largely be avoided if the Android team just published the > artifacts through normal channels. > > William > > > > On Fri, Aug 8, 2014 at 5:19 AM, Xavier Ducrohet <[email protected] > <javascript:>> wrote: > >> Where are they getting published? >> >> If there were put on MavenCentral or JCenter that would be a problem but >> it looks like they are just on github? Someone wanting to use them has to >> go find them there, and that should be a red flag anyway. >> >> >> On Thu, Aug 7, 2014 at 4:41 AM, William Ferguson < >> [email protected] <javascript:>> wrote: >> >>> What's the Android team's stance on the non-official versions of the >>> Android support libraries? >>> >>> Eg >>> https://github.com/Prototik/HoloEverywhere/issues/842#issuecomment-49746122 >>> >>> These libraries have the same GAV (groupId, artifactId, version) as the >>> official versions but have totally different contents. This means that the >>> same project built on 2 different machines can produce radically different >>> outputs (unbeknownst to the developers). Or even 2 libraries both listing >>> the same dependency having very different needs and producing some >>> nightmare when combined (again unbeknownst to the developer doing the >>> combining). >>> >>> These libraries are being published in the com.android.* namespace, so >>> appear to be official Android team libraries which means developers are >>> going to start coming to you guys for support as things start to break down >>> at the edges. If the Android team were actually publishing these artifacts >>> into a public repository there wouldn't be a vacuum for incidents like this >>> to occur. >>> >>> So what's the plan to stop this hole getting bigger and deeper? >>> >>> William >>> >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "adt-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Xavier Ducrohet >> Android SDK Tech Lead >> Google Inc. >> http://developer.android.com | http://tools.android.com >> >> Please do not send me questions directly. Thanks! >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "adt-dev" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/adt-dev/2hPuSUYttbg/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "adt-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
