> Version ranges solve this problem. > They don't. They introduce new categories of problems (reproducibility, boundaries) and don't account for the fact that liveliness of a version is post-publication (a vulnerability is rarely discovered before releasing, typically).
> Whether or not JPMS enforces version constraints, the inability to even > state a dependency upon a version of a module has created duplication.You > have to state "require module" in module-info, and you have to repeat it > with additional version information in the build descriptor (pom.xml, > build.gradle, etc). > You don't have to repeat. There's nothing that says that _you_ should write the module file. Also, the build tool _may_ source the dependencies from the module info file (but it wouldn't be enough, because you want different dependencies for test, compile, API, ...). Also a version is often misleading. What does it mean when you write "I depend on 1.0.4". Does it mean that it doesn't work on 1.0.3, or does it mean that it was the latest version that was available when you built? Or does it mean that actually this version is provided by your runtime environment, so it's a strict dependency? We're currently tackling all these problems, which are real world problems on medium to large scale applications. A single version number is often not enough: you need constraints, and sometimes variants (think classifiers). > > > > In what sense is module-info focused on the runtime aspect? It is enforced > at both compile time and runtime, and yet it does not provide sufficient > information for either the build tooling OR the runtime to assemble a > consistent set of modules that work together. > > The module info file defines the module graph, and is enforced at compile and runtime. However, it doesn't account for what you need: - when you build your library: API and implementation dependencies - when someone builds against your library: only API dependencies - when you run the library (API, implementation and "runtime only" dependencies) Nor does it know which of does are provided by the runtime environment, or compile tools. It only knows they are required, but barely knows who provides them, and for what use.
