> -----Original Message----- > From: John Casey [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 07, 2005 7:12 PM > To: Maven Developers List > Subject: Re: POM issues in the repository > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > 1. define sanity. > > 2. define validity. > > We have a tool out there right now that converts POMs from > the m1 repository to the m2 repository, and does some meager > checking on the XML/model validity of the POM on the way. > HOWEVER, that's not the same as saying it checks that all of > that POM's deps are in the repository. > > Reiterating what Emmanuel said, we do have plans to enhance > this application and provide much more > functionality...eventually. So far, we've been emphasizing > the development and stability of m2 over this tool. If you'd > like to log a specific issue, you might want to do so in the > Maven Repository Manager project (MRM) in JIRA...if it's a > specific POM you're having trouble with, you can do one of two things: > > 1. add an exclusions block to your dependency (useful for > dom4j). This will work if the dependency has a dependency > which is only used in certain cases, which you are not interested in. > > 2. file an issue in MEV (Maven Evangelism) JIRA, or enhance a > current issue. If the POM is really bad (not just a bad build > design on the part of dom4j or something), then we can only > fix our copy and get in touch with the dom4j guys to fix it > at the source. However, if for some reason that POM's > filesystem timestamp changes in our staging repository, the > same old problems will be re-propagated. This is because we > consider the dependencies given by a project's development > team in the POM to be authoritative by default. > > We're all pretty much aware that the metadata from the > maven-1 repository is somewhat lacking, to say the least. > Unfortunately, due to the decentralized control over the > repository's contents (projects are supposed to be in control > of their own information, as we cannot be experts on all > projects we supply in the repository), I'm not at all > convinced that there is an easier way to clean this stuff up. > > Of course, suggestions and help are both very welcome. :) >
If I can have a suggestion: I the fact that repository is changing constantly is even worst then the fact that some POMs are missing or are incorrect. I cannot imagine somebody using m2 in production and relaying on such unstable repository which introduces indeterminism to builds. It's just enough to change an order of dependencies in one of the POMs and some builds might be broken or what's very serious not possible to reproduce in the future. >From this perspective it might be better to have a smaller but high quality repository which is growing then a big crappy repository containing invalid POMs or "naked" POMs like that (http://www.ibiblio.org/maven2/axis/axis/1.2/axis-1.2.pom): project> <modelVersion>4.0.0</modelVersion> <groupId>axis</groupId> <artifactId>axis</artifactId> <version>1.2</version> </project> IMO at least project description and license should be present in all POMs in the repository. It will be nice to have more things in those POMs (e.g. url of the main website, organization section etc) And unfortunately no tool can provide this information automatically. You need many people to help you with that! Michal --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
