Here is the formal definition of Maven's "proximity" rule, which is incidentally
called dependency mediation:
# Dependency mediation - this determines what version of a dependency will be
used when multiple versions of an artifact are encountered. Currently, Maven 2.0
only supports using the "nearest definition" which means that it will use the
version of the closest dependency to your project in the tree of dependencies.
You can always guarantee a version by declaring it explicitly in your project's
POM. Note that if two dependency versions are at the same depth in the
dependency tree, until Maven 2.0.8 it was not defined which one would win, but
since Maven 2.0.9 it's the order in the declaration that counts: the first
declaration wins.
* "nearest definition" means that the version used will be the closest one
to your project in the tree of dependencies, eg. if dependencies for A, B, and C
are defined as A -> B -> C -> D 2.0 and A -> E -> D 1.0, then D 1.0 will be used
when building A because the path from A to D through E is shorter. You could
explicitly add a dependency to D 2.0 in A to force the use of D 2.0
Quoted from
http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
HTH,
Sagara Gunathunga wrote:
On Fri, Oct 16, 2009 at 3:25 PM, Ceki Gulcu <c...@qos.ch> wrote:
Andreas Veithen wrote:
Looking at the Apache WS universe alone:
- Woden depends on slf4j-log4j12
- Rampart directly depends on slf4j-jdk14 and transitively (via
opensaml2) on jcl-over-slf4j and log4j-over-slf4j.
Woden includes slf4j-log4j12 in the runtime scope, excludes log4j and
then includes it a few lines below. This indicates that the author did
not know about maven proximity rules. The exclusion declaration within
the slf4j-log4j12 dependency declaration is unnecessary as a local
declaration trumps dependency declarations made upstream. Although
this might not be true for dependencies in the runtime scope, in which
case you can strike my comment about the author not knowing proximity
rules. Anyway, I think the log4j dependency should have been made in
the test scope and not runtime.
I like to comment only about Woden. I'm not an expert in Maven
proximity but what i have experienced during several projects are
different versions of same Jar file at runtime and leads into some
version mismatch exceptions. Most of the time people find those issues
once they get a runtime exception, normally in practice we don't use
Maven dependency plug-in every time to analyze dependencies. That why
I thought to define all dependencies explicitly with exact versions
without depend on transitive dependency resolution. In case of SLF4J
those issues might be wrong but I don't want to make it as special
case .
BTW there was recent voting thread on Woden list [1] about the
logging strategy , Most probably current strategy will change in near
future.
[1] -
http://www.nabble.com/-VOTE--Vote-for-Woden-Logging-Strategy-td25854390.html
Thanks ,
As you say rampart declares a compile (default) dependency on
slf4j-jdk14 and a test time dependency on log4j.
IMHO, dependencies on slf4j bindings should be in the test scope.
These are the two projects in Apache WS that I know are using SLF4J
and both include unnecessary dependencies on bindings/bridges.
BTW, it doesn't surprise me to see dependencies on slf4j bindings. The
reason is quite simple: everybody wants to make his own project as
easy to use as possible. If a project X doesn't declare any
dependencies on an slf4j binding, then the user has to declare another
dependency to make library X work. If the user doesn't know SLF4J or
didn't read project X's documentation, he might blame X. On the other
hand, if X declares a dependency on a binding that causes a conflict
with project Y, then the user has no reason to blame either X or Y in
particular.
Interesting perspective. Any responsible developer can see that declaring a
dependency on an slf4j-binding in a scope other than test has undesirable
consequences downstream. If asked properly, I would assume that they would
kindly oblige.
There is really no contradiction here. From an architectural point of
view, I like the approach, but from a dependency management
perspective, it is not as nice as I would like. Interestingly most of
the issues point to a missing feature in Maven, namely virtual
dependencies (which would work in a similar way as virtual packages in
Debian's package management system). There is a similar problem with
the Java Activation Framework and JavaMail: there are two
implementations of these APIs, one from Sun and one from Geronimo.
There is no way (other than using explicit exclusions) to tell Maven
that these are substitutes of each other and that it if both appear as
transitive dependencies it would be sufficient to retain one of them
to satisfy the dependencies of the project.
Did you ever think about trying to convince the Maven people to
implement such a feature?
There have been request in this direction but if I remember correctly they
have been met with some resistance from the maven folks.
--
Ceki Gülcü
Logback: The reliable, generic, fast and flexible logging framework for
Java.
http://logback.qos.ch
--
Ceki Gülcü
Logback: The reliable, generic, fast and flexible logging framework for Java.
http://logback.qos.ch
