On Sun, Feb 15, 2009 at 16:55, Stefano Bagnara <[email protected]> wrote: <snip/>
>>> Is maven version 2.0.6 still sufficient? >>> And for me "mvn package" always did the job; no -U, no -Plocal.. >>> >> >> Neither option is required. I guess -Plocal can come handy when building >> packages while off-line. > > -Plocal has been introduced as a *compromise* by me 2 years ago, after > working weeks (if not months) trying to satisfy really strict security > requirements from other PMC members. They was rejecting the use of maven > to make releases if this meant to use remote repositories because of > security concerns. > > Even if I understand and share the security issues and the > reproducibility issues with m2, I always thought that the whole issue > was a big waste of time for me and for the JAMES project. THE solution > for maven and this issue is to setup our own repository with a > repository manager. Unfortunately it seems there is no will to setup > this kind of 3rd party repository inside the ASF. > > The whole thing had already found inconsistency when we decided that we > was not entitled shipping poms for jars that we ship in the stage folder > (expecially wrt javamail stuff). > > That said, here is my +1 to remove the -Plocal suggestion in BUILDING.txt. For me the foremost reason to not rely on a remote maven repos is that I firmly believe that any ASF project should be self-hosting. (I'm repeating myself here of course, but I'd like to say it again as the maven question has been brought up again.) Self-hosting has its limits, of course we won't keep copies of ant or the JDK around. But all the funny (to use a nice f-word) little maven dependencies and plug-ins can really make your day, especially when not accessible, either because servers are unreachable or working offline. For example: I'm connected to the net right now. I run 'mvn dependency:tree', on a James server trunk checkout and I'm getting errors. Mmhhh. Maybe this mvn build is not maintained, but the general experience is: If maven works, you're fine. But if you get dependency errors, you are really in trouble. Purging a local m2 repo cannot be recommended. So prestine builds are not really happening, because of the local m2. What if somebody wants to build one of our mvn dependent products in 5 or 10 years? Should that work? I firmly doubt it will! Maybe the solution is to establish a repo for our James product dependencies here in our own project. But that will likely create distribution issues. I don't want to be a PITA, you can change the build to not depend on -Plocal. I backup my local m2 anyway. Bernd
