There is a plugin by a friend of a friend (don't ask me what it's called) that writes out a de-ranged pom.xml as part of the build, in the event that you need to reproduce a build, eg, branching from a tag for a production fix, you swap in the tag, drop in the pom, make the change down stream as required, depend on it with [], and continue. We use ranges here for the entire tree. External deps are isolated through compositions with fixed [] deps and they themselves are ranged (because we control them). It does require "semver discipline", however it makes for predictable and fluid development forward. Do note that you need to de-range transitively for this to work, ie, transitively resolved artefacts must be in the new fixed pom.
On Tue, Oct 27, 2015 at 6:03 AM, Benson Margulies <[email protected]> wrote: > On Mon, Oct 26, 2015 at 11:42 AM, Anders Hammar > <[email protected]> wrote: > > You're right, this is the problem. What would need to be done is the > > version to be fixed for the release version (tag). > > Do we have any tooling for this? In my imagination, the top pom for a > product to be released could be auto-decorated with > dependencyManagement locks. > > > > > /Anders (mobile) > > Den 26 okt 2015 15:55 skrev "Benson Margulies" <[email protected]>: > > > >> Folks, > >> > >> I would appreciate some assistance in thinking through the > >> implications of the use of version ranges. > >> > >> As a thought experiment, consider a loosely-coupled collection of > >> maven project, maintained with a semver discipline. > >> > >> Each component has dependencies, and those are written with ordinary > >> dependency elements. No dependency management, no ranges. > >> > >> Maven will resolve version numbers, and the builds will be 100% > >> reproducible. However, the resolution algorithm is not semver, it's > >> doing the tree distance thing. > >> > >> So, to get semver semantics, I might consider adding ranges. However, > >> and here I hope I'm confused, I just lost reproducibility. If someone > >> adds a new version to the repository, a re-run of the build will > >> select it if it satisfies the ranges. Rebuilding from the tag is not > >> the same build. > >> > >> Am I missing something? Could it be that the release process somehow > >> resolves the ranges and writes them into the poms? > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
