Le samedi 16 février 2019, 11:38:59 CET Emmanuel Bourg a écrit : > Le 15/02/2019 à 17:34, Hervé BOUTEMY a écrit : > > IIUC you don't use the same versions of dependencies (because of > > uniqueness of each lib in Debian [1]) as those used in a "normal > > unconstrained" build from source [2] > > > > I don't yet understand the details of Debian build system, if the symlinks > > are used at build time or only at runtime, but even if you the resulting > > jars of the Debian build from Maven source are the same binaries, the > > execution of Maven does not run with the same dependencies, then there > > may be subtle differences during the run (for example from jansi, or > > guice, or commons-cli or ...) > I try to stick as much as possible to the same versions of the > dependencies, especially the sensitive ones like Guice or Aether, but > there are still some divergences. I've reviewed the dependencies > installed in the /usr/share/maven/lib directory by the maven/3.6.0 > package in Debian unstable and we currently have the following differences: > > Maven Debian > commons-lang3 3.8.1 3.8 > commons-io 2.5 2.6 > guava 25.1 19.0 > jansi 1.17 1.17.1 > jansi-native 1.17 1.18 > maven-shared-utils 3.2.1 3.3.0 > plexus-utils 3.1.0 3.1.1 > wagon 3.2.0 3.3.1 > > The versions are slightly ahead to the ones in Maven 3.6.0, ahead does not always mean better :) but it's good to see a precise measure of the intentionally managed difference between unconstrained Maven distribution (which will become in the future a reproducible build) and Debian choice = where subtle differences in behaviour can happen for users = what should be clearly advertised to users
> except for > Guava. Guava is only used by Guice for Preconditions, immutable > collections and other basic operations. I don't think the difference is > significant. At least, I've verified that the Guice 4.2.1 tests pass > with Guava 19.0. > > > IIUC, that uniqueness of every library is a Debian principle, then a Maven > > distribution from Debian cannot be equivalent to a "normal" distribution > > where library versions are purely selected by Maven source's pom.xml, > > without adding any constraint This is why having Debian's distribution > > display its name in "mvn -v" would make that more clear. > > > > Let's discuss a little bit about plugins: when Debian launches the "mvn" > > command to build some Debian package, does it use Maven Central like > > anybody? = where do the Maven plugins used during build come from? > There are two different cases: > 1. What Maven does when launched by a user > 2. What Maven does when it's used in a Debian package build > > > 1. When the user launches "mvn" to build a project it behaves as usual > by downloading the dependencies from Maven Central or the other > repositories defined in the pom. The Maven plugins also available as > Debian packages are never used. The only code compiled by Debian that is > executed is the set of dependencies found in the Maven lib directory > (/usr/share/maven/lib). > > The default plugin versions are also exactly identical. Before Maven > 3.5.0 we patched default-bindings.xml to align them with the versions > packaged in Debian. We stopped to preserve the same default behavior. > This is new in Debian 10 "Buster" (and the latest Ubuntu 18.04 LTS), the > current stable version Debian 9 "Stretch" has Maven 3.3.9 with different > default plugins. for users, depending on default plugins versions injected by default biondings is a bad practice: in Maven 3.7.0, MNG-6562 will provide a warning to help users avoid that https://issues.apache.org/jira/browse/MNG-6562 > > > 2. Debian builds are offline, completely disconnected from the network. > It's impossible to download dependencies or plugins from Maven Central. > That's why we recreate a Maven repository in /usr/share/maven-repo/ and > instruct Maven to fetch the dependencies there instead of Maven Central > when building a Debian package. This repository is populated by > installing the packaged plugins and dependencies. great, this is the key strategy that I wanted to discover > > > If there are Maven developers interested I can do a live demo showing > how Maven projects are built into Debian packages. yes, I'm really interested, because I have so many more detailed questions if we do that face to face in a Paris bar, I'll pay you a few beers :) but if many people are interested, having a remote session will be better: we'll have to wait for the beers... Regards, Hervé > > Emmanuel Bourg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
