Re: Maven Central Repository - Cleanup Efforts
Then make your own repository. See how useful that is. Jason, you are probably right. http://xircles.codehaus.org/projects/pinin - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Please see my response on the maven-dev list for how this problem is best approached. For everyone's sanity, lets keep the discussion thread on the dev list. On Thu, Oct 1, 2009 at 2:41 PM, Albert Kurucz albert.kur...@gmail.com wrote: Then make your own repository. See how useful that is. Jason, you are probably right. http://xircles.codehaus.org/projects/pinin - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Somebody just gave me an idea what would be an excellent tool to crawl
through a repository and create an index of the artifacts, which pass
some kind of acceptance criteria:
http://docs.codehaus.org/display/M2ECLIPSE/Nexus+Indexer
// get NexusIndexer component from Plexus
PlexusContainer plexus = embedder.getPlexusContainer();
NexusIndexer indexer = (NexusIndexer) plexus.lookup(NexusIndexer.class);
IndexUpdater updater = (IndexUpdater) plexus.lookup(IndexUpdater.class);
// add indexing context (stateful), should be done once for lifetime
if(CONDITION)
{
indexer.addIndexingContext(
indexId, // index id (usually the same as repository id)
repositoryId,// repository id
directory, // Lucene directory where index is stored
repositoryDir, // local repository dir or null for remote repo
repositoryUrl, // repository url, used by index updater
indexUpdateUrl, // index update url or null if derived from repositoryUrl
false, false);
}
What should be the CONDITION?
On Tue, Sep 29, 2009 at 12:02 PM, Albert Kurucz albert.kur...@gmail.com wrote:
For some start-ups, this could mean a business opportunity!
Nobody said, that the quality info should be given away free.
On Tue, Sep 29, 2009 at 7:21 AM, Albert Kurucz albert.kur...@gmail.com
wrote:
Do you really mean that you would like to enforce such -source-release.zip
artefacts to be published?
Not any qualities of the code should be enforced.
But I very much want to be able to find those gems from the big pile of ...
Therefore the artifacts on Central should be search-able and filter-able.
Some people want to add more metadata to support this.
My opinion is that this approach will not work, it just opens the door
for more corruption.
There should be independent software quality certifications agencies,
which issue issue their lists certifying that artifacts on that list
fulfill certain well specified minimum quality measures.
Maven should be able to use the output from these agencies (for
filtering or search).
I hope agencies will maintain high quality of their database, because
credibility can be lost only once.
On Sat, Sep 26, 2009 at 8:14 AM, Hervé BOUTEMY herve.bout...@free.fr wrote:
Le samedi 26 septembre 2009, Albert Kurucz a écrit :
For the additional requirement, getting into the pure Maven repo (The
best), I really meant: build-able.
Me too, I don't really care what tool you use to build it as long as
the tool is already checked in and you only use the attached metadata
and the attached sources.
I need some clarifications to be sure that we are all speaking of the same
thing.
-sources.jar artefacts usually attached to the main artefact are not meant
to
be buildable, but used for IDEs. You can't build with that, since it's only
a
part of the sources, and does not honour directories expected in pom.xml.
Since a few months, -source-release.zip artefacts were added to latest
Apache's artefacts (at least Maven's ones) to provide buildable source.
See [1] for example.
Do you really mean that you would like to enforce such -source-release.zip
artefacts to be published?
[1] http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-invoker-
plugin/1.4/
But a tool like this, in my eyes is just another Maven plugin.
Why care about being build-able?
Non-buildable source is fine as a gesture of goodwill, but I think if the
public source isn't buildable, we're gonna end up with egg on our faces.
Quote from:
http://mail.opensolaris.org/pipermail/opensolaris-discuss/2005-February/002
170.html
On Fri, Sep 25, 2009 at 4:31 PM, Brian Fox bri...@infinity.nu wrote:
On Fri, Sep 25, 2009 at 12:44 PM, Albert Kurucz albert.kur...@gmail.com
wrote:
Technically it is possible to manage 3 different OSS Maven repos.
1. The good enough
This is the current Maven Central
No rules, only recommendations:
http://maven.apache.org/guides/mini/guide-central-repository-upload.html
Note: it is not a rule what is not enforced!
For what purpose? Again this is effectively a dead repo.
2. The good
This would be the Maven Purgatory.
Same rules applied as above, but rules enforced.
Mistakes of rule-enforcements corrected by purge.
Or this is the new data in Central.
3. The best
Call it the Maven Heaven
Same rules, but only for Maven built projects.
Pretty much useless. The tool used to build is completely irrelevant.
Such a repo would be so barren as to be hardly useful at all.
-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
-
To
Re: Maven Central Repository - Cleanup Efforts
Do you really mean that you would like to enforce such -source-release.zip artefacts to be published? Not any qualities of the code should be enforced. But I very much want to be able to find those gems from the big pile of ... Therefore the artifacts on Central should be search-able and filter-able. Some people want to add more metadata to support this. My opinion is that this approach will not work, it just opens the door for more corruption. There should be independent software quality certifications agencies, which issue issue their lists certifying that artifacts on that list fulfill certain well specified minimum quality measures. Maven should be able to use the output from these agencies (for filtering or search). I hope agencies will maintain high quality of their database, because credibility can be lost only once. On Sat, Sep 26, 2009 at 8:14 AM, Hervé BOUTEMY herve.bout...@free.fr wrote: Le samedi 26 septembre 2009, Albert Kurucz a écrit : For the additional requirement, getting into the pure Maven repo (The best), I really meant: build-able. Me too, I don't really care what tool you use to build it as long as the tool is already checked in and you only use the attached metadata and the attached sources. I need some clarifications to be sure that we are all speaking of the same thing. -sources.jar artefacts usually attached to the main artefact are not meant to be buildable, but used for IDEs. You can't build with that, since it's only a part of the sources, and does not honour directories expected in pom.xml. Since a few months, -source-release.zip artefacts were added to latest Apache's artefacts (at least Maven's ones) to provide buildable source. See [1] for example. Do you really mean that you would like to enforce such -source-release.zip artefacts to be published? [1] http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-invoker- plugin/1.4/ But a tool like this, in my eyes is just another Maven plugin. Why care about being build-able? Non-buildable source is fine as a gesture of goodwill, but I think if the public source isn't buildable, we're gonna end up with egg on our faces. Quote from: http://mail.opensolaris.org/pipermail/opensolaris-discuss/2005-February/002 170.html On Fri, Sep 25, 2009 at 4:31 PM, Brian Fox bri...@infinity.nu wrote: On Fri, Sep 25, 2009 at 12:44 PM, Albert Kurucz albert.kur...@gmail.com wrote: Technically it is possible to manage 3 different OSS Maven repos. 1. The good enough This is the current Maven Central No rules, only recommendations: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Note: it is not a rule what is not enforced! For what purpose? Again this is effectively a dead repo. 2. The good This would be the Maven Purgatory. Same rules applied as above, but rules enforced. Mistakes of rule-enforcements corrected by purge. Or this is the new data in Central. 3. The best Call it the Maven Heaven Same rules, but only for Maven built projects. Pretty much useless. The tool used to build is completely irrelevant. Such a repo would be so barren as to be hardly useful at all. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
For some start-ups, this could mean a business opportunity! Nobody said, that the quality info should be given away free. On Tue, Sep 29, 2009 at 7:21 AM, Albert Kurucz albert.kur...@gmail.com wrote: Do you really mean that you would like to enforce such -source-release.zip artefacts to be published? Not any qualities of the code should be enforced. But I very much want to be able to find those gems from the big pile of ... Therefore the artifacts on Central should be search-able and filter-able. Some people want to add more metadata to support this. My opinion is that this approach will not work, it just opens the door for more corruption. There should be independent software quality certifications agencies, which issue issue their lists certifying that artifacts on that list fulfill certain well specified minimum quality measures. Maven should be able to use the output from these agencies (for filtering or search). I hope agencies will maintain high quality of their database, because credibility can be lost only once. On Sat, Sep 26, 2009 at 8:14 AM, Hervé BOUTEMY herve.bout...@free.fr wrote: Le samedi 26 septembre 2009, Albert Kurucz a écrit : For the additional requirement, getting into the pure Maven repo (The best), I really meant: build-able. Me too, I don't really care what tool you use to build it as long as the tool is already checked in and you only use the attached metadata and the attached sources. I need some clarifications to be sure that we are all speaking of the same thing. -sources.jar artefacts usually attached to the main artefact are not meant to be buildable, but used for IDEs. You can't build with that, since it's only a part of the sources, and does not honour directories expected in pom.xml. Since a few months, -source-release.zip artefacts were added to latest Apache's artefacts (at least Maven's ones) to provide buildable source. See [1] for example. Do you really mean that you would like to enforce such -source-release.zip artefacts to be published? [1] http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-invoker- plugin/1.4/ But a tool like this, in my eyes is just another Maven plugin. Why care about being build-able? Non-buildable source is fine as a gesture of goodwill, but I think if the public source isn't buildable, we're gonna end up with egg on our faces. Quote from: http://mail.opensolaris.org/pipermail/opensolaris-discuss/2005-February/002 170.html On Fri, Sep 25, 2009 at 4:31 PM, Brian Fox bri...@infinity.nu wrote: On Fri, Sep 25, 2009 at 12:44 PM, Albert Kurucz albert.kur...@gmail.com wrote: Technically it is possible to manage 3 different OSS Maven repos. 1. The good enough This is the current Maven Central No rules, only recommendations: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Note: it is not a rule what is not enforced! For what purpose? Again this is effectively a dead repo. 2. The good This would be the Maven Purgatory. Same rules applied as above, but rules enforced. Mistakes of rule-enforcements corrected by purge. Or this is the new data in Central. 3. The best Call it the Maven Heaven Same rules, but only for Maven built projects. Pretty much useless. The tool used to build is completely irrelevant. Such a repo would be so barren as to be hardly useful at all. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Filtering is already used for another Maven feature. To avoid ambiguity, we should better call the one what I defined: repository-skinning or repository-certification. Do you think this new feature would hurt the repo or any Maven user? On Sun, Sep 27, 2009 at 11:27 PM, Albert Kurucz albert.kur...@gmail.com wrote: It is not necessary to create a new repo and it is not necessary to modify anything on Central or the policies how it is managed. Mess could be cleaned up virtually if I could attach a filter. In the ~/.m2/settings.xml for example, I should be able to add a list of repository addresses and for each of this repositories (which list could include the Central repo) I should be able to setup a URL of the filter which I would wanna use. Filter format could be for example the nexus repository index format. One example is here: http://repository.codehaus.org/.index/ My Maven client software should effectively hide artifacts from repositories (not only from Central) which artifacts have no reference on my selected filter index. Maven users have different needs, so they would sign up to different filters. Users would never loose faith of Central repo for its content. Only the index providers could be blamed for the garbage or for the missing artifacts, but this is highly unlikely, because they will maintain their index files by automated processes. It would be courteous from the current Maven Central maintainers if they provide a filter, which reflects the requirements what was originally made to get into Central: http://maven.apache.org/guides/mini/guide-central-repository-upload.html (but lots of things got in, which do not comply to this). On Sun, Sep 27, 2009 at 6:45 PM, Brett Porter br...@apache.org wrote: On 27/09/2009, at 5:15 AM, Jason van Zyl wrote: Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html Given this comment, I think you might have misunderstood my post on d...@... I was of the opinion that clean going forward makes sense, past stuff is still available, but working on ways to make Maven understand metadata changes so that you can actually fix things that go wrong. Some related themes have come up in this thread over the weekend, but I'll try and follow up on dev@ later with something more concrete. - Brett - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Yes it would hurt. A build then becomes dependent on the certlist in order for it to function. In such a way, a cert list becomes directly equivalent to a repository definition in a pom.xml file. We do not allow repository definitions in pom files for a good reason. certlists is just another name for the same thing. By all means I see repository managers being able to use certlists... but these would be applied at the repository manager level and not at the settings.xml or at the pom.xml level. If you need a specific certlist in order to build correctly, then I do not think we should allow your new artifacts into central... and now certlists are a dead duck Just my opinion, Stephen 2009/9/28 Albert Kurucz albert.kur...@gmail.com Filtering is already used for another Maven feature. To avoid ambiguity, we should better call the one what I defined: repository-skinning or repository-certification. Do you think this new feature would hurt the repo or any Maven user? On Sun, Sep 27, 2009 at 11:27 PM, Albert Kurucz albert.kur...@gmail.com wrote: It is not necessary to create a new repo and it is not necessary to modify anything on Central or the policies how it is managed. Mess could be cleaned up virtually if I could attach a filter. In the ~/.m2/settings.xml for example, I should be able to add a list of repository addresses and for each of this repositories (which list could include the Central repo) I should be able to setup a URL of the filter which I would wanna use. Filter format could be for example the nexus repository index format. One example is here: http://repository.codehaus.org/.index/ My Maven client software should effectively hide artifacts from repositories (not only from Central) which artifacts have no reference on my selected filter index. Maven users have different needs, so they would sign up to different filters. Users would never loose faith of Central repo for its content. Only the index providers could be blamed for the garbage or for the missing artifacts, but this is highly unlikely, because they will maintain their index files by automated processes. It would be courteous from the current Maven Central maintainers if they provide a filter, which reflects the requirements what was originally made to get into Central: http://maven.apache.org/guides/mini/guide-central-repository-upload.html (but lots of things got in, which do not comply to this). On Sun, Sep 27, 2009 at 6:45 PM, Brett Porter br...@apache.org wrote: On 27/09/2009, at 5:15 AM, Jason van Zyl wrote: Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html Given this comment, I think you might have misunderstood my post on dev@ ... I was of the opinion that clean going forward makes sense, past stuff is still available, but working on ways to make Maven understand metadata changes so that you can actually fix things that go wrong. Some related themes have come up in this thread over the weekend, but I'll try and follow up on dev@ later with something more concrete. - Brett - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Any other flaws? A build then becomes dependent on the certlist in order for it to function. The project's build will not become dependent of the certlist. If it was able to build with certlist feature turned on, it will certainly build without the certlist. We do not allow repository definitions in pom files for a good reason. Repository definitions and certlist select would go to settings file, not to the pom. By all means I see repository managers being able to use certlists... Managers of different repositories will not need to become managers of certlists. but these would be applied at the repository manager level and not at the settings.xml or at the pom.xml level. No, these two tasks (maintaining a repo vs maintaining a certlist) should be separated. If you need a specific certlist in order to build correctly, You may need a specific certlist in order to maintain certain qualities of your development process. But you don't need a certlist for performing any builds. I do not think we should allow your new artifacts into central.. No new artifacts needed on central. All what is needed, a Maven client which respects my filter settings. and now certlists are a dead duck Give me a good reason why! On Mon, Sep 28, 2009 at 10:34 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: Yes it would hurt. In such a way, a cert list becomes directly equivalent to a repository definition in a pom.xml file. We do not allow repository definitions in pom files for a good reason. certlists is just another name for the same thing. By all means I see repository managers being able to use certlists... but these would be applied at the repository manager level and not at the settings.xml or at the pom.xml level. If you need a specific certlist in order to build correctly, then I do not think we should allow your new artifacts into central... and now certlists are a dead duck Just my opinion, Stephen 2009/9/28 Albert Kurucz albert.kur...@gmail.com Filtering is already used for another Maven feature. To avoid ambiguity, we should better call the one what I defined: repository-skinning or repository-certification. Do you think this new feature would hurt the repo or any Maven user? On Sun, Sep 27, 2009 at 11:27 PM, Albert Kurucz albert.kur...@gmail.com wrote: It is not necessary to create a new repo and it is not necessary to modify anything on Central or the policies how it is managed. Mess could be cleaned up virtually if I could attach a filter. In the ~/.m2/settings.xml for example, I should be able to add a list of repository addresses and for each of this repositories (which list could include the Central repo) I should be able to setup a URL of the filter which I would wanna use. Filter format could be for example the nexus repository index format. One example is here: http://repository.codehaus.org/.index/ My Maven client software should effectively hide artifacts from repositories (not only from Central) which artifacts have no reference on my selected filter index. Maven users have different needs, so they would sign up to different filters. Users would never loose faith of Central repo for its content. Only the index providers could be blamed for the garbage or for the missing artifacts, but this is highly unlikely, because they will maintain their index files by automated processes. It would be courteous from the current Maven Central maintainers if they provide a filter, which reflects the requirements what was originally made to get into Central: http://maven.apache.org/guides/mini/guide-central-repository-upload.html (but lots of things got in, which do not comply to this). On Sun, Sep 27, 2009 at 6:45 PM, Brett Porter br...@apache.org wrote: On 27/09/2009, at 5:15 AM, Jason van Zyl wrote: Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html Given this comment, I think you might have misunderstood my post on dev@ ... I was of the opinion that clean going forward makes sense, past stuff is still available, but working on ways to make Maven understand metadata changes so that you can actually fix things that go wrong. Some related themes have come up in this thread over the weekend, but I'll try and follow up on dev@ later with something more concrete. - Brett -
Re: Maven Central Repository - Cleanup Efforts
On Mon, Sep 28, 2009 at 9:02 AM, Albert Kurucz albert.kur...@gmail.com wrote: Any other flaws? A build then becomes dependent on the certlist in order for it to function. The project's build will not become dependent of the certlist. If it was able to build with certlist feature turned on, it will certainly build without the certlist. If the build at all depends on the cert list for proper resolution, then yes it is a defacto dependency of the build. In other words, if the resolution is at all different without the certlist than it is with it, then the build is dependent on it for proper resolution. If the certlist isn't required, then what value does it provide? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
One unwritten? rule of Maven good practice is that you change the undefined dependency version definitions to fixed versions before release. If you have done that, resolution will not be effected by certlist on or off status. The value (benefit) what certlist would provide to a Maven user, is that the user will not need to evaluate many artifact, which are not worth to spend time on looking at. This could result to saving our valuable spare time which we spend on contributing to different open source projects. On Mon, Sep 28, 2009 at 11:32 AM, Brian Fox bri...@infinity.nu wrote: On Mon, Sep 28, 2009 at 9:02 AM, Albert Kurucz albert.kur...@gmail.com wrote: Any other flaws? A build then becomes dependent on the certlist in order for it to function. The project's build will not become dependent of the certlist. If it was able to build with certlist feature turned on, it will certainly build without the certlist. If the build at all depends on the cert list for proper resolution, then yes it is a defacto dependency of the build. In other words, if the resolution is at all different without the certlist than it is with it, then the build is dependent on it for proper resolution. If the certlist isn't required, then what value does it provide? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Sorry for thread hijack, but was not able to resist... Another thing to think about, since it's adoption: On Mon, Sep 28, 2009 at 5:34 PM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: We do not allow repository definitions in pom files for a good reason. This seemed as a good idea, but think about it. Why would you _not_ put reposes in POMs? Because they will be _burned_ in to your POMs forever and your URLs may change down the road? Why is this better: * having repository defs in POMs, thus providing at least some usable info that a developer may use as starting point and google it up/search/look for it (where it went, what it was, etc) then: * providing _no_ useful information in POMs for future generations? Having no trace in your _build_ about needed reposes... Ah yes, _both_ cases are easily handled by MRMs + grouping + mirrorOf, but in 2nd case, the one building may only shoot in the dark, you did not provide _any_ information from what did you build your stuff. Think about it. ~t~
Re: Maven Central Repository - Cleanup Efforts
I did not propose point system to describe the quality of repository alone, I thought of it just to be able to compare two different repositories... (ie. you find same thing in two of them, decide which one will you want to use, etc). But now I understand that this would provide a lot less value that I thought initially. The other item in my list was the list of \problematic\ or simply \unusable\ or \less then qualifiable\ _parts/GAVs/trees_ of repo itself and this sounds more like the deprecation someone proposed... ~t~ On Sun, Sep 27, 2009 at 7:41 PM, Benson Margulies bimargul...@gmail.comwrote: I agree that a point system is pointless.
Re : Maven Central Repository - Cleanup Efforts
- Message d'origine De : Albert Kurucz albert.kur...@gmail.com À : Maven Users List users@maven.apache.org Envoyé le : Lundi, 28 Septembre 2009, 19h39mn 00s Objet : Re: Maven Central Repository - Cleanup Efforts Tamas, could explain MRMs + grouping + mirrorOf or send a link? http://www.sonatype.com/books/nexus-book/reference/maven-sect-single-group.html 2009/9/28 Tamás Cservenák : Sorry for thread hijack, but was not able to resist... Another thing to think about, since it's adoption: On Mon, Sep 28, 2009 at 5:34 PM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: We do not allow definitions in pom files for a good reason. This seemed as a good idea, but think about it. Why would you _not_ put reposes in POMs? Because they will be _burned_ in to your POMs forever and your URLs may change down the road? Why is this better: * having repository defs in POMs, thus providing at least some usable info that a developer may use as starting point and google it up/search/look for it (where it went, what it was, etc) then: * providing _no_ useful information in POMs for future generations? Having no trace in your _build_ about needed reposes... Ah yes, _both_ cases are easily handled by MRMs + grouping + mirrorOf, but in 2nd case, the one building may only shoot in the dark, you did not provide _any_ information from what did you build your stuff. Think about it. ~t~ - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
I hope I get this right Jason here states that there should only be one central And yes we can ONLY have ONE central. And this is the ONE we got today That must be the game we are playing. The community must be able to TRUST maven / central. Starting changing this could cause doubt, and a very easy attach zone for competitors... When this is stated We must acknowledge we got problems !!! The central is full of legacy, some artifacts that even might not work, moved etc. Here the solution can be to add deprecation lists or better component- qualtiy-attributes (an xml file next to a component) To speak clear: pom.xml xx.jar xxx.war ... is read-only. But a component-quality-attribute.xml file can be maintained, and updated. The quality attributes can be like: deprecated false / true .. when true + a description runs-JVM-1.5 true/ (false + description / problem reference ) runs-JVM-1.6true/ (false + description / problem reference ) runs-JVM-1.7 true/ (false + description / problem reference ) runs-JVM-1.8 when this becomes relevant is-moved (no) or path to new location osgi-compliant true / false ivy-enabled true /false groovy-enabled maven-2 enabled true / false ... most of our maven-2 artifacts should hopefully have true here :-) maven-3 enabled (soon..) maven-4 enabled (when this becomes relevant) various PMD level compliant I here by tries to state that we cannot predict the future. What today seens perfect, might tomorrow be less usable. With such attributes users can select the artifacts matching their demands. I am not sure a point system from 1..10 will match the requirements. Best regards Anders Kristian Andersen On 26/09/2009, at 21.15, Jason van Zyl wrote: On 2009-09-26, at 10:58 AM, Albert Kurucz wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html It would actually cost us more in support with our clients to maintain a dirty Maven Central and a clean Maven Central with the confusion, interoperability problems and general issues of potential distrust it just makes no business sense. Now the information we want to add is of enormous value but it's predicated on generally improving the quality of Maven Central. I don't want Sonatype to be known as the company that stole Maven Central, doesn't do us any good. So trying to sequester improved metadata somewhere is pointless. If the base information is not good, then the whole system is crippled and that screws Sonatype as well as everyone else. So the information in Maven Central on a per-project basis I see increasing greatly with some tools that Sonatype is developing in Nexus and M2Eclipse and this will benefit all Maven users generally. I'm certainly going to leverage that improved information, but so can anyone else. On Sat, Sep 26, 2009 at 11:22 AM, Hervé BOUTEMY herve.bout...@free.fr wrote: Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- don't hesitate to start one on MAVENUSER Wiki [1] whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. [1] http://docs.codehaus.org/display/MAVENUSER/Home - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
I agree that a point system is pointless. I mostly care about whether an artifact is well-formed. I don't depend on maven central to help me make business decisions about what open source components to depend on. If I need a component, I do the research to see what exists, what has a live community, what the licenses are, etc. Finally, when I know that I want something, I go see if its on central. If it's not, then I grumble and make arrangements to get to it from my local nexus instance. All I need to know from central is whether it contains a functional, up-to-date artifact set f whatever component I've determined that I want to use. On Sun, Sep 27, 2009 at 5:13 AM, Anders Kristian Andersen anders.kristian.ander...@gmail.com wrote: I hope I get this right Jason here states that there should only be one central And yes we can ONLY have ONE central. And this is the ONE we got today That must be the game we are playing. The community must be able to TRUST maven / central. Starting changing this could cause doubt, and a very easy attach zone for competitors... When this is stated We must acknowledge we got problems !!! The central is full of legacy, some artifacts that even might not work, moved etc. Here the solution can be to add deprecation lists or better component-qualtiy-attributes (an xml file next to a component) To speak clear: pom.xml xx.jar xxx.war ... is read-only. But a component-quality-attribute.xml file can be maintained, and updated. The quality attributes can be like: deprecated false / true .. when true + a description runs-JVM-1.5 true/ (false + description / problem reference ) runs-JVM-1.6true/ (false + description / problem reference ) runs-JVM-1.7 true/ (false + description / problem reference ) runs-JVM-1.8 when this becomes relevant is-moved (no) or path to new location osgi-compliant true / false ivy-enabled true /false groovy-enabled maven-2 enabled true / false ... most of our maven-2 artifacts should hopefully have true here :-) maven-3 enabled (soon..) maven-4 enabled (when this becomes relevant) various PMD level compliant I here by tries to state that we cannot predict the future. What today seens perfect, might tomorrow be less usable. With such attributes users can select the artifacts matching their demands. I am not sure a point system from 1..10 will match the requirements. Best regards Anders Kristian Andersen On 26/09/2009, at 21.15, Jason van Zyl wrote: On 2009-09-26, at 10:58 AM, Albert Kurucz wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html It would actually cost us more in support with our clients to maintain a dirty Maven Central and a clean Maven Central with the confusion, interoperability problems and general issues of potential distrust it just makes no business sense. Now the information we want to add is of enormous value but it's predicated on generally improving the quality of Maven Central. I don't want Sonatype to be known as the company that stole Maven Central, doesn't do us any good. So trying to sequester improved metadata somewhere is pointless. If the base information is not good, then the whole system is crippled and that screws Sonatype as well as everyone else. So the information in Maven Central on a per-project basis I see increasing greatly with some tools that Sonatype is developing in Nexus and M2Eclipse and this will benefit all Maven users generally. I'm certainly going to leverage that improved information, but so can anyone else. On Sat, Sep 26, 2009 at 11:22 AM, Hervé BOUTEMY herve.bout...@free.fr wrote: Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the
Re: Maven Central Repository - Cleanup Efforts
This is exactly what all sane users do, but we will still try extremely hard to clean everything up and make it easier for open source projects to get their artifacts to central. On 2009-09-27, at 10:41 AM, Benson Margulies wrote: I agree that a point system is pointless. I mostly care about whether an artifact is well-formed. I don't depend on maven central to help me make business decisions about what open source components to depend on. If I need a component, I do the research to see what exists, what has a live community, what the licenses are, etc. Finally, when I know that I want something, I go see if its on central. If it's not, then I grumble and make arrangements to get to it from my local nexus instance. All I need to know from central is whether it contains a functional, up-to-date artifact set f whatever component I've determined that I want to use. On Sun, Sep 27, 2009 at 5:13 AM, Anders Kristian Andersen anders.kristian.ander...@gmail.com wrote: I hope I get this right Jason here states that there should only be one central And yes we can ONLY have ONE central. And this is the ONE we got today That must be the game we are playing. The community must be able to TRUST maven / central. Starting changing this could cause doubt, and a very easy attach zone for competitors... When this is stated We must acknowledge we got problems !!! The central is full of legacy, some artifacts that even might not work, moved etc. Here the solution can be to add deprecation lists or better component-qualtiy-attributes (an xml file next to a component) To speak clear: pom.xml xx.jar xxx.war ... is read-only. But a component-quality-attribute.xml file can be maintained, and updated. The quality attributes can be like: deprecated false / true .. when true + a description runs-JVM-1.5 true/ (false + description / problem reference ) runs-JVM-1.6true/ (false + description / problem reference ) runs-JVM-1.7 true/ (false + description / problem reference ) runs-JVM-1.8 when this becomes relevant is-moved (no) or path to new location osgi-compliant true / false ivy-enabled true /false groovy-enabled maven-2 enabled true / false ... most of our maven-2 artifacts should hopefully have true here :-) maven-3 enabled (soon..) maven-4 enabled (when this becomes relevant) various PMD level compliant I here by tries to state that we cannot predict the future. What today seens perfect, might tomorrow be less usable. With such attributes users can select the artifacts matching their demands. I am not sure a point system from 1..10 will match the requirements. Best regards Anders Kristian Andersen On 26/09/2009, at 21.15, Jason van Zyl wrote: On 2009-09-26, at 10:58 AM, Albert Kurucz wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html It would actually cost us more in support with our clients to maintain a dirty Maven Central and a clean Maven Central with the confusion, interoperability problems and general issues of potential distrust it just makes no business sense. Now the information we want to add is of enormous value but it's predicated on generally improving the quality of Maven Central. I don't want Sonatype to be known as the company that stole Maven Central, doesn't do us any good. So trying to sequester improved metadata somewhere is pointless. If the base information is not good, then the whole system is crippled and that screws Sonatype as well as everyone else. So the information in Maven Central on a per-project basis I see increasing greatly with some tools that Sonatype is developing in Nexus and M2Eclipse and this will benefit all Maven users generally. I'm certainly going to leverage that improved information, but so can anyone
Re: Maven Central Repository - Cleanup Efforts
Mr. Zyl, Please don't mistake me. I'm on your side of this debate. I am no more arguing against basic cleanup than I am arguing for trying to get into the business of arbitrating and publishing elaborate metadata about what is inside or behind the artifacts. Central should be as clean as possible in a functional sense: the artifacts in it should contain what they claim to contain, have accurate dependencies, etc. A scheme to hang red flags on historical items that have problems is great. --benson On Sun, Sep 27, 2009 at 2:17 PM, Jason van Zyl jvan...@sonatype.com wrote: This is exactly what all sane users do, but we will still try extremely hard to clean everything up and make it easier for open source projects to get their artifacts to central. On 2009-09-27, at 10:41 AM, Benson Margulies wrote: I agree that a point system is pointless. I mostly care about whether an artifact is well-formed. I don't depend on maven central to help me make business decisions about what open source components to depend on. If I need a component, I do the research to see what exists, what has a live community, what the licenses are, etc. Finally, when I know that I want something, I go see if its on central. If it's not, then I grumble and make arrangements to get to it from my local nexus instance. All I need to know from central is whether it contains a functional, up-to-date artifact set f whatever component I've determined that I want to use. On Sun, Sep 27, 2009 at 5:13 AM, Anders Kristian Andersen anders.kristian.ander...@gmail.com wrote: I hope I get this right Jason here states that there should only be one central And yes we can ONLY have ONE central. And this is the ONE we got today That must be the game we are playing. The community must be able to TRUST maven / central. Starting changing this could cause doubt, and a very easy attach zone for competitors... When this is stated We must acknowledge we got problems !!! The central is full of legacy, some artifacts that even might not work, moved etc. Here the solution can be to add deprecation lists or better component-qualtiy-attributes (an xml file next to a component) To speak clear: pom.xml xx.jar xxx.war ... is read-only. But a component-quality-attribute.xml file can be maintained, and updated. The quality attributes can be like: deprecated false / true .. when true + a description runs-JVM-1.5 true/ (false + description / problem reference ) runs-JVM-1.6true/ (false + description / problem reference ) runs-JVM-1.7 true/ (false + description / problem reference ) runs-JVM-1.8 when this becomes relevant is-moved (no) or path to new location osgi-compliant true / false ivy-enabled true /false groovy-enabled maven-2 enabled true / false ... most of our maven-2 artifacts should hopefully have true here :-) maven-3 enabled (soon..) maven-4 enabled (when this becomes relevant) various PMD level compliant I here by tries to state that we cannot predict the future. What today seens perfect, might tomorrow be less usable. With such attributes users can select the artifacts matching their demands. I am not sure a point system from 1..10 will match the requirements. Best regards Anders Kristian Andersen On 26/09/2009, at 21.15, Jason van Zyl wrote: On 2009-09-26, at 10:58 AM, Albert Kurucz wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html It would actually cost us more in support with our clients to maintain a dirty Maven Central and a clean Maven Central with the confusion, interoperability problems and general issues of potential distrust it just makes no business sense. Now the information we want to add is of enormous value but it's predicated on generally improving the quality of Maven Central.
Re: Maven Central Repository - Cleanup Efforts
Only pointing out that's what people typically do. On 2009-09-27, at 11:27 AM, Benson Margulies wrote: Mr. Zyl, Please don't mistake me. I'm on your side of this debate. I am no more arguing against basic cleanup than I am arguing for trying to get into the business of arbitrating and publishing elaborate metadata about what is inside or behind the artifacts. Central should be as clean as possible in a functional sense: the artifacts in it should contain what they claim to contain, have accurate dependencies, etc. A scheme to hang red flags on historical items that have problems is great. --benson On Sun, Sep 27, 2009 at 2:17 PM, Jason van Zyl jvan...@sonatype.com wrote: This is exactly what all sane users do, but we will still try extremely hard to clean everything up and make it easier for open source projects to get their artifacts to central. On 2009-09-27, at 10:41 AM, Benson Margulies wrote: I agree that a point system is pointless. I mostly care about whether an artifact is well-formed. I don't depend on maven central to help me make business decisions about what open source components to depend on. If I need a component, I do the research to see what exists, what has a live community, what the licenses are, etc. Finally, when I know that I want something, I go see if its on central. If it's not, then I grumble and make arrangements to get to it from my local nexus instance. All I need to know from central is whether it contains a functional, up-to-date artifact set f whatever component I've determined that I want to use. On Sun, Sep 27, 2009 at 5:13 AM, Anders Kristian Andersen anders.kristian.ander...@gmail.com wrote: I hope I get this right Jason here states that there should only be one central And yes we can ONLY have ONE central. And this is the ONE we got today That must be the game we are playing. The community must be able to TRUST maven / central. Starting changing this could cause doubt, and a very easy attach zone for competitors... When this is stated We must acknowledge we got problems !!! The central is full of legacy, some artifacts that even might not work, moved etc. Here the solution can be to add deprecation lists or better component-qualtiy-attributes (an xml file next to a component) To speak clear: pom.xml xx.jar xxx.war ... is read-only. But a component-quality-attribute.xml file can be maintained, and updated. The quality attributes can be like: deprecated false / true .. when true + a description runs-JVM-1.5 true/ (false + description / problem reference ) runs-JVM-1.6true/ (false + description / problem reference ) runs-JVM-1.7 true/ (false + description / problem reference ) runs-JVM-1.8 when this becomes relevant is-moved (no) or path to new location osgi-compliant true / false ivy-enabled true /false groovy-enabled maven-2 enabled true / false ... most of our maven-2 artifacts should hopefully have true here :-) maven-3 enabled (soon..) maven-4 enabled (when this becomes relevant) various PMD level compliant I here by tries to state that we cannot predict the future. What today seens perfect, might tomorrow be less usable. With such attributes users can select the artifacts matching their demands. I am not sure a point system from 1..10 will match the requirements. Best regards Anders Kristian Andersen On 26/09/2009, at 21.15, Jason van Zyl wrote: On 2009-09-26, at 10:58 AM, Albert Kurucz wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html It would actually cost us more in support with our clients to maintain a dirty Maven Central and a clean Maven Central with the confusion, interoperability problems and general issues of potential distrust it just makes no business sense. Now the information we want
Re: Maven Central Repository - Cleanup Efforts
On 27/09/2009, at 5:15 AM, Jason van Zyl wrote: Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html Given this comment, I think you might have misunderstood my post on d...@... I was of the opinion that clean going forward makes sense, past stuff is still available, but working on ways to make Maven understand metadata changes so that you can actually fix things that go wrong. Some related themes have come up in this thread over the weekend, but I'll try and follow up on dev@ later with something more concrete. - Brett - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
It is not necessary to create a new repo and it is not necessary to modify anything on Central or the policies how it is managed. Mess could be cleaned up virtually if I could attach a filter. In the ~/.m2/settings.xml for example, I should be able to add a list of repository addresses and for each of this repositories (which list could include the Central repo) I should be able to setup a URL of the filter which I would wanna use. Filter format could be for example the nexus repository index format. One example is here: http://repository.codehaus.org/.index/ My Maven client software should effectively hide artifacts from repositories (not only from Central) which artifacts have no reference on my selected filter index. Maven users have different needs, so they would sign up to different filters. Users would never loose faith of Central repo for its content. Only the index providers could be blamed for the garbage or for the missing artifacts, but this is highly unlikely, because they will maintain their index files by automated processes. It would be courteous from the current Maven Central maintainers if they provide a filter, which reflects the requirements what was originally made to get into Central: http://maven.apache.org/guides/mini/guide-central-repository-upload.html (but lots of things got in, which do not comply to this). On Sun, Sep 27, 2009 at 6:45 PM, Brett Porter br...@apache.org wrote: On 27/09/2009, at 5:15 AM, Jason van Zyl wrote: Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html Given this comment, I think you might have misunderstood my post on d...@... I was of the opinion that clean going forward makes sense, past stuff is still available, but working on ways to make Maven understand metadata changes so that you can actually fix things that go wrong. Some related themes have come up in this thread over the weekend, but I'll try and follow up on dev@ later with something more concrete. - Brett - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
A lot of +1-es to this quote ~t~ On Sat, Sep 26, 2009 at 4:35 AM, Albert Kurucz albert.kur...@gmail.comwrote: Non-buildable source is fine as a gesture of goodwill, but I think if the public source isn't buildable, we're gonna end up with egg on our faces. Quote from: http://mail.opensolaris.org/pipermail/opensolaris-discuss/2005-February/002170.html
Re: Maven Central Repository - Cleanup Efforts
Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- don't hesitate to start one on MAVENUSER Wiki [1] whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. [1] http://docs.codehaus.org/display/MAVENUSER/Home - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Le samedi 26 septembre 2009, Albert Kurucz a écrit : For the additional requirement, getting into the pure Maven repo (The best), I really meant: build-able. Me too, I don't really care what tool you use to build it as long as the tool is already checked in and you only use the attached metadata and the attached sources. I need some clarifications to be sure that we are all speaking of the same thing. -sources.jar artefacts usually attached to the main artefact are not meant to be buildable, but used for IDEs. You can't build with that, since it's only a part of the sources, and does not honour directories expected in pom.xml. Since a few months, -source-release.zip artefacts were added to latest Apache's artefacts (at least Maven's ones) to provide buildable source. See [1] for example. Do you really mean that you would like to enforce such -source-release.zip artefacts to be published? [1] http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-invoker- plugin/1.4/ But a tool like this, in my eyes is just another Maven plugin. Why care about being build-able? Non-buildable source is fine as a gesture of goodwill, but I think if the public source isn't buildable, we're gonna end up with egg on our faces. Quote from: http://mail.opensolaris.org/pipermail/opensolaris-discuss/2005-February/002 170.html On Fri, Sep 25, 2009 at 4:31 PM, Brian Fox bri...@infinity.nu wrote: On Fri, Sep 25, 2009 at 12:44 PM, Albert Kurucz albert.kur...@gmail.com wrote: Technically it is possible to manage 3 different OSS Maven repos. 1. The good enough This is the current Maven Central No rules, only recommendations: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Note: it is not a rule what is not enforced! For what purpose? Again this is effectively a dead repo. 2. The good This would be the Maven Purgatory. Same rules applied as above, but rules enforced. Mistakes of rule-enforcements corrected by purge. Or this is the new data in Central. 3. The best Call it the Maven Heaven Same rules, but only for Maven built projects. Pretty much useless. The tool used to build is completely irrelevant. Such a repo would be so barren as to be hardly useful at all. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Le samedi 26 septembre 2009, Albert Kurucz a écrit : For the additional requirement, getting into the pure Maven repo (The best), I really meant: build-able. Me too, I don't really care what tool you use to build it as long as the tool is already checked in and you only use the attached metadata and the attached sources. I need some clarifications to be sure that we are all speaking of the same thing. -sources.jar artefacts usually attached to the main artefact are not meant to be buildable, but used for IDEs. You can't build with that, since it's only a part of the sources, and does not honour directories expected in pom.xml. Since a few months, -source-release.zip artefacts were added to latest Apache's artefacts (at least Maven's ones) to provide buildable source. See [1] for example. Do you really mean that you would like to enforce such -source-release.zip artefacts to be published? But a tool like this, in my eyes is just another Maven plugin. Why care about being build-able? Non-buildable source is fine as a gesture of goodwill, but I think if the public source isn't buildable, we're gonna end up with egg on our faces. Quote from: http://mail.opensolaris.org/pipermail/opensolaris-discuss/2005-February/002 170.html On Fri, Sep 25, 2009 at 4:31 PM, Brian Fox bri...@infinity.nu wrote: On Fri, Sep 25, 2009 at 12:44 PM, Albert Kurucz albert.kur...@gmail.com wrote: Technically it is possible to manage 3 different OSS Maven repos. 1. The good enough This is the current Maven Central No rules, only recommendations: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Note: it is not a rule what is not enforced! For what purpose? Again this is effectively a dead repo. 2. The good This would be the Maven Purgatory. Same rules applied as above, but rules enforced. Mistakes of rule-enforcements corrected by purge. Or this is the new data in Central. 3. The best Call it the Maven Heaven Same rules, but only for Maven built projects. Pretty much useless. The tool used to build is completely irrelevant. Such a repo would be so barren as to be hardly useful at all. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. We could ask repo maintainers -- just like we did with Nexus indexes -- simply to publish these meta information (metrics) information in their reposes, and repo consumers could decide: do I want or not a repo of 3.14 MRQ* to participate in my build or not. Of course, persons or organizations would be able to raise MRQ just by letting it thru (and fixing/improving) the repo in question over some tools (MRMs are at once the 1st thing becoming obvious choice). *MRQ = Maven Repo Quality index, for example a scalar number with range 0-10 (if the quality is representable as such) Thanks, ~t~ PS: I am really interested, if once done, what score would central get ;) On Sat, Sep 26, 2009 at 3:14 PM, Hervé BOUTEMY herve.bout...@free.frwrote: I need some clarifications to be sure that we are all speaking of the same thing.
Re: Maven Central Repository - Cleanup Efforts
Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). On Sat, Sep 26, 2009 at 11:22 AM, Hervé BOUTEMY herve.bout...@free.fr wrote: Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- don't hesitate to start one on MAVENUSER Wiki [1] whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. [1] http://docs.codehaus.org/display/MAVENUSER/Home - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
IMHO, being buildable by maven is a nice to have, but to be honest, if somebody wants to build their project with a DOS batch file and a piece of string I don't mind as long as they publish the artifact with a valid pom anything else is setting the repository up for failure Sent from my [rhymes with tryPod] ;-) On 26 Sep 2009, at 09:22, Tamás Cservenák ta...@cservenak.net wrote: A lot of +1-es to this quote ~t~ On Sat, Sep 26, 2009 at 4:35 AM, Albert Kurucz albert.kur...@gmail.com wrote: Non-buildable source is fine as a gesture of goodwill, but I think if the public source isn't buildable, we're gonna end up with egg on our faces. Quote from: http://mail.opensolaris.org/pipermail/opensolaris-discuss/2005-February/002170.html - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
You got the point. But that quality information (whatever it's form would be), could do things like: - describe the overall quality of repo (let's name it the MRQ score) - the list (or only the count) of rules/tests ran (so, a repo of MRQ score 5 with 5 tests would be less good than a repo with MRQ score 5 but checked with 15 tests), to be able to compare reposes between each other (if for example the MRQ would be defined as mean value of tests ran against it or something like that). Or something much more sophisticated... but you got the idea. - the list of problematic or simply unusable or less then qualifiable parts/GAVs/trees of repo itself. Tresholds could be wired in the tooling and make them universal (minimal compliance set, good to have compliance set, superb compliance set) - etc Sci Fiction part: You could have a simple maven plugin, that would try to read these informations from reposes participating in your build (i know this would have some issues in 2.2.x, but i believe maven3 would be able to cope with this) on initialize phase of your build, and spit you huge warnings about problematic reposes are in your build, or better, if you pull an artifact from problematic set/tree have an option to fail the build/throw huge warning, etc But one problem here is the grouping feature of almost all MRMs: and maven simply looses the information from where came an artifact... ~t~ On Sat, Sep 26, 2009 at 7:58 PM, Albert Kurucz albert.kur...@gmail.comwrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). On Sat, Sep 26, 2009 at 11:22 AM, Hervé BOUTEMY herve.bout...@free.fr wrote: Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- don't hesitate to start one on MAVENUSER Wiki [1] whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. [1] http://docs.codehaus.org/display/MAVENUSER/Home - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
if you start measuring artifact quality, it makes sense to break down the stats by groupId at least that way if I see that java.net has 100% quality for com.stvconsultants.easygloss I can configure my repository manager to allow that group I'd through, but leave org.glassfish out as its quality is only 70% although I do see assessing quality as requiring at least some human intervention. but in response to Albert, a 50% score for quality does not translate to everything being crap, only that lots of non-deprecated artifacts have poor pom.xml files. there will still be zones of sanity in a poor repo, just as there are zones of insanity in a mostly good repository Sent from my [rhymes with tryPod] ;-) On 26 Sep 2009, at 18:58, Albert Kurucz albert.kur...@gmail.com wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). On Sat, Sep 26, 2009 at 11:22 AM, Hervé BOUTEMY herve.bout...@free. fr wrote: Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- don't hesitate to start one on MAVENUSER Wiki [1] whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. [1] http://docs.codehaus.org/display/MAVENUSER/Home - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Sent from my [rhymes with tryPod] ;-) On 26 Sep 2009, at 18:58, Albert Kurucz albert.kur...@gmail.com wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. yes this is possible, but it will be missing so many of the ok artifacts that everyone needs as to make it useful. if you set the bar too high, nobody will try to jump it. let's start by setting the bar a little higher than it currently is, and with deprecation metadata we can start flagging those artifacts which would not make it over the bar at its new height central it just too useful... it has gathered critical mass whereby it is nearly a right of passage for new java projects to get hosted on central... hosting on central becomes one of those things projects are asked to do... if we move the goalposts too far or too fast we will kill the critical mass we have now, and the whole thing will end up a dead duck If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. I don't get that impression I get the impression that paying customers will get the features first, but, the impression I have is that Jason feels good artifacts in central help sonatype make money more than providing commercial tools to try and filter out the bad from central ever could Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). On Sat, Sep 26, 2009 at 11:22 AM, Hervé BOUTEMY herve.bout...@free. fr wrote: Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- don't hesitate to start one on MAVENUSER Wiki [1] whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. [1] http://docs.codehaus.org/display/MAVENUSER/Home - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
central it just too useful... it has gathered critical mass whereby it is nearly a right of passage for new java projects to get hosted on central... hosting on central becomes one of those things projects are asked to do... if we move the goalposts too far or too fast we will kill the critical mass we have now, and the whole thing will end up a dead duck bingo. We are doing this now by requiring valid signatures for anything that comes via oss.sonatype.org or anything i personally approve when i manually process either an upload or a sync request. If it's no good, it don't enable it. We want to automate this so the standard applies regardless of who processes the request...and eventually automate the processing as well. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. I don't get that impression Also correct. We want to fix the core data in central for everyone, but as I've said before: fix means improve the quality of incoming data, it does not mean go back and rewrite old poms etc because this just screws up existing builds. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
I don't want anyone to miss any of the numerous ok arifacts. Those could still be housed by the Good enough Central repo. I would like to have a setting in my Maven with 3 options: -Good enough -Good (verified meta) -Best (verified buildable) which selects which of the 3 maintained repo will be used. On Sat, Sep 26, 2009 at 1:41 PM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: Sent from my [rhymes with tryPod] ;-) On 26 Sep 2009, at 18:58, Albert Kurucz albert.kur...@gmail.com wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. yes this is possible, but it will be missing so many of the ok artifacts that everyone needs as to make it useful. if you set the bar too high, nobody will try to jump it. let's start by setting the bar a little higher than it currently is, and with deprecation metadata we can start flagging those artifacts which would not make it over the bar at its new height central it just too useful... it has gathered critical mass whereby it is nearly a right of passage for new java projects to get hosted on central... hosting on central becomes one of those things projects are asked to do... if we move the goalposts too far or too fast we will kill the critical mass we have now, and the whole thing will end up a dead duck If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. I don't get that impression I get the impression that paying customers will get the features first, but, the impression I have is that Jason feels good artifacts in central help sonatype make money more than providing commercial tools to try and filter out the bad from central ever could Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). On Sat, Sep 26, 2009 at 11:22 AM, Hervé BOUTEMY herve.bout...@free.fr wrote: Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- don't hesitate to start one on MAVENUSER Wiki [1] whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. [1] http://docs.codehaus.org/display/MAVENUSER/Home - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On Sat, Sep 26, 2009 at 12:11 PM, Albert Kurucz albert.kur...@gmail.com wrote: I don't want anyone to miss any of the numerous ok arifacts. Those could still be housed by the Good enough Central repo. I would like to have a setting in my Maven with 3 options: -Good enough -Good (verified meta) -Best (verified buildable) which selects which of the 3 maintained repo will be used. It's not that simple. What you really want to say is if the best is there, take it. If there is no best then use good etc, but frankly it's not going to exist that you have best, good and good enough existing all at the same time for the same version. Selecting a whole repo based on some arbitrary criteria makes no sense unless every single artifact you need exists at that level. If you really want to filter things out based on definable criteria, then perhaps you want the Procurement support in Nexus Pro. I just don't see how selecting a whole repo makes any sense. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On 2009-09-26, at 10:58 AM, Albert Kurucz wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). Not having a super high quality central repository actually makes our commercial efforts a lot harder. If I was devious I would have agreed with Brett and would make a completely clean central repository as our plans require intact repositories. But we don't have a clean repository and trying to make a separate one would be a disaster for general use. You have to live with what's there and Sonatype will actually invest in cleaning up the generally available repository. We already have with efforts like this: http://nexus.sonatype.org/oss-repository-hosting.html It would actually cost us more in support with our clients to maintain a dirty Maven Central and a clean Maven Central with the confusion, interoperability problems and general issues of potential distrust it just makes no business sense. Now the information we want to add is of enormous value but it's predicated on generally improving the quality of Maven Central. I don't want Sonatype to be known as the company that stole Maven Central, doesn't do us any good. So trying to sequester improved metadata somewhere is pointless. If the base information is not good, then the whole system is crippled and that screws Sonatype as well as everyone else. So the information in Maven Central on a per-project basis I see increasing greatly with some tools that Sonatype is developing in Nexus and M2Eclipse and this will benefit all Maven users generally. I'm certainly going to leverage that improved information, but so can anyone else. On Sat, Sep 26, 2009 at 11:22 AM, Hervé BOUTEMY herve.bout...@free.fr wrote: Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- don't hesitate to start one on MAVENUSER Wiki [1] whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. [1] http://docs.codehaus.org/display/MAVENUSER/Home - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On 2009-09-26, at 12:11 PM, Albert Kurucz wrote: I don't want anyone to miss any of the numerous ok arifacts. Those could still be housed by the Good enough Central repo. I would like to have a setting in my Maven with 3 options: -Good enough -Good (verified meta) -Best (verified buildable) which selects which of the 3 maintained repo will be used. Then make your own repository. See how useful that is. On Sat, Sep 26, 2009 at 1:41 PM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: Sent from my [rhymes with tryPod] ;-) On 26 Sep 2009, at 18:58, Albert Kurucz albert.kur...@gmail.com wrote: Very nice idea to measure the quality. But sorry Tamas, 50% corrupt or 90% corrupt does not make a difference for me. Especially not, when I have feeling that it is possible to maintain a 100% clean repo with the right automation tools. yes this is possible, but it will be missing so many of the ok artifacts that everyone needs as to make it useful. if you set the bar too high, nobody will try to jump it. let's start by setting the bar a little higher than it currently is, and with deprecation metadata we can start flagging those artifacts which would not make it over the bar at its new height central it just too useful... it has gathered critical mass whereby it is nearly a right of passage for new java projects to get hosted on central... hosting on central becomes one of those things projects are asked to do... if we move the goalposts too far or too fast we will kill the critical mass we have now, and the whole thing will end up a dead duck If Sonatype's goal is to sell these tools only for paying customers I don't have a bad feeling about that. I don't get that impression I get the impression that paying customers will get the features first, but, the impression I have is that Jason feels good artifacts in central help sonatype make money more than providing commercial tools to try and filter out the bad from central ever could Everyone has to make a living. But I hope sometime similar tools and a clean repo will be available for the open public. I hope OSS developers will recognize the need for quality (and a high quality repo). On Sat, Sep 26, 2009 at 11:22 AM, Hervé BOUTEMY herve.bout...@free.fr wrote: Le samedi 26 septembre 2009, Tamás Cservenák a écrit : I think we all need some clarification, since we all talk about quality (we all agreed upon the basic things unanimously). What is the quality of a maven repository (in general)? Can we measure it? Can we define it? A wiki page with piled up (even personal) opinions would be good -- don't hesitate to start one on MAVENUSER Wiki [1] whatever they are -- and later we should cherry-pick the most relevant ones to build some tooling to build these metric. And then, we could measure the quality of different reposes (like central) and have a list of reposes that do meet certain level of quality and list publicly the others that does not. [1] http://docs.codehaus.org/display/MAVENUSER/Home - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
We just need a high-quality POM, correct metadata, javadocs, sources, and signatures. It is debatable is what you mean on high quality. For me (totally a Maven fan!) what makes the POM high quality? Its ability to build the project! I don't really care if it is full of maven-antrun-plugin, but build it by running mvn ... For some developers high quality really just means that the metadata is correct. Because of this opposition having two separate OSS repos (serving different needs?) makes sense. What is the right thing to do going forward? One question is whether to care about build ability or not! On Thu, Sep 24, 2009 at 10:56 PM, Jason van Zyl jvan...@sonatype.com wrote: On 2009-09-24, at 7:52 PM, Albert Kurucz wrote: Jason and Brian, thanks for the explanations. Understood, the policy of not removing anything from Maven Central serves a purpose. I wish there would be another publicly Maven repository, which is maintained with rules enforced. This repo could even have a rule (additional to the old and unenforced rules) that only Maven built projects can enter, maybe even more restriction: only the designated Continuous Integration server can upload to it. What matters is a plan to improve the metadata and this can be done over time. There can never be a big bang here, there is just too much content, and too many people relying on the content that's there. Projects that are deploying against oss.sonatype.org are subject to the procurement rules which are stringent. The artifacts are placed in a staging repository, rules are applied and if they all pass they get promoted otherwise they have to be corrected. No promotion unless all the rules pass. Only allowing Maven built projects doesn't make sense. All we need it the correct information. We honestly don't care if people build with Maven or not. We just need a high-quality POM, correct metadata, javadocs, sources, and signatures. This pure Maven repo would not be able to compete with Maven Central regarding size or the number of artifacts, but some OSS developers might prefer to use from and supply to this one instead of the big and ugly. This isn't really going to change or help anything. The existing content cannot change, the content going forward needs to be improved and that's what matters. Over time as the content improves the poorer quality submissions will just fall into disuse. Nexus can now help any project that wants to deploy high quality artifacts via oss.sonatype.org. The next step for us is allowing bundle submissions that are normally pushed into JIRA to be also submitted into a staging repository and run through the same set of rules. This will be available in Nexus 1.4. The last gap to fill will be repositories that directly sync and we'll provide a mechanism for that in Nexus as well. Ultimately we will build up these rules and if you don't pass them, by whatever gate you pass through, then your artifacts get rejected. We'll provide this in an easy to use form with Nexus but ultimately it doesn't matter how these rules are enforced as long as they are enforced. This is the only strategy that will work long-term. What's done has been done. What matters now helping projects do the right thing going forward. On Thu, Sep 24, 2009 at 6:44 PM, Brian Fox bri...@infinity.nu wrote: On Thu, Sep 24, 2009 at 3:16 PM, Albert Kurucz albert.kur...@gmail.com wrote: Requirements for the POMs are defined as: http://maven.apache.org/guides/mini/guide-central-repository-upload.html I call the artifact corrupt (regarding Maven Central Compliance) if the POM of the artifact does not fulfills the above requirements. There are corrupt ones have made it to the Central, because the guard was sleeping. Correct, but changing them is not an option because it will destabilize builds. This is a long standing rule that we do not remove or change the contents of central. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
For me, High quality is that: /project/(?parent/)(groupId|artifactId|version) are valid and do not reference properties /project/dependencies is valid and if there are any properties defined they are defined within the pom or it's parents /project/name /project/description /project/url Bonus high quality is when it has /project/scm /project/issueTracking /project/developers /project/contributors and if it is a project that builds using Maven 2 -Stephen 2009/9/25 Albert Kurucz albert.kur...@gmail.com: We just need a high-quality POM, correct metadata, javadocs, sources, and signatures. It is debatable is what you mean on high quality. For me (totally a Maven fan!) what makes the POM high quality? Its ability to build the project! I don't really care if it is full of maven-antrun-plugin, but build it by running mvn ... For some developers high quality really just means that the metadata is correct. Because of this opposition having two separate OSS repos (serving different needs?) makes sense. What is the right thing to do going forward? One question is whether to care about build ability or not! On Thu, Sep 24, 2009 at 10:56 PM, Jason van Zyl jvan...@sonatype.com wrote: On 2009-09-24, at 7:52 PM, Albert Kurucz wrote: Jason and Brian, thanks for the explanations. Understood, the policy of not removing anything from Maven Central serves a purpose. I wish there would be another publicly Maven repository, which is maintained with rules enforced. This repo could even have a rule (additional to the old and unenforced rules) that only Maven built projects can enter, maybe even more restriction: only the designated Continuous Integration server can upload to it. What matters is a plan to improve the metadata and this can be done over time. There can never be a big bang here, there is just too much content, and too many people relying on the content that's there. Projects that are deploying against oss.sonatype.org are subject to the procurement rules which are stringent. The artifacts are placed in a staging repository, rules are applied and if they all pass they get promoted otherwise they have to be corrected. No promotion unless all the rules pass. Only allowing Maven built projects doesn't make sense. All we need it the correct information. We honestly don't care if people build with Maven or not. We just need a high-quality POM, correct metadata, javadocs, sources, and signatures. This pure Maven repo would not be able to compete with Maven Central regarding size or the number of artifacts, but some OSS developers might prefer to use from and supply to this one instead of the big and ugly. This isn't really going to change or help anything. The existing content cannot change, the content going forward needs to be improved and that's what matters. Over time as the content improves the poorer quality submissions will just fall into disuse. Nexus can now help any project that wants to deploy high quality artifacts via oss.sonatype.org. The next step for us is allowing bundle submissions that are normally pushed into JIRA to be also submitted into a staging repository and run through the same set of rules. This will be available in Nexus 1.4. The last gap to fill will be repositories that directly sync and we'll provide a mechanism for that in Nexus as well. Ultimately we will build up these rules and if you don't pass them, by whatever gate you pass through, then your artifacts get rejected. We'll provide this in an easy to use form with Nexus but ultimately it doesn't matter how these rules are enforced as long as they are enforced. This is the only strategy that will work long-term. What's done has been done. What matters now helping projects do the right thing going forward. On Thu, Sep 24, 2009 at 6:44 PM, Brian Fox bri...@infinity.nu wrote: On Thu, Sep 24, 2009 at 3:16 PM, Albert Kurucz albert.kur...@gmail.com wrote: Requirements for the POMs are defined as: http://maven.apache.org/guides/mini/guide-central-repository-upload.html I call the artifact corrupt (regarding Maven Central Compliance) if the POM of the artifact does not fulfills the above requirements. There are corrupt ones have made it to the Central, because the guard was sleeping. Correct, but changing them is not an option because it will destabilize builds. This is a long standing rule that we do not remove or change the contents of central. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven
Re: Maven Central Repository - Cleanup Efforts
The pure Maven repo should say: We honestly don't care which Maven plugin the people build with, as long as that plugin is already checked into here. And why people would prefer to use libraries from the pure Maven repo? Quality. Being build-able has always been the target of OSS developments. Finally this could be achieved. (OK it won't come to Maven Central) Anyone care about having Maven Pure? On Fri, Sep 25, 2009 at 8:36 AM, Albert Kurucz albert.kur...@gmail.com wrote: We just need a high-quality POM, correct metadata, javadocs, sources, and signatures. It is debatable is what you mean on high quality. For me (totally a Maven fan!) what makes the POM high quality? Its ability to build the project! I don't really care if it is full of maven-antrun-plugin, but build it by running mvn ... For some developers high quality really just means that the metadata is correct. Because of this opposition having two separate OSS repos (serving different needs?) makes sense. What is the right thing to do going forward? One question is whether to care about build ability or not! On Thu, Sep 24, 2009 at 10:56 PM, Jason van Zyl jvan...@sonatype.com wrote: On 2009-09-24, at 7:52 PM, Albert Kurucz wrote: Jason and Brian, thanks for the explanations. Understood, the policy of not removing anything from Maven Central serves a purpose. I wish there would be another publicly Maven repository, which is maintained with rules enforced. This repo could even have a rule (additional to the old and unenforced rules) that only Maven built projects can enter, maybe even more restriction: only the designated Continuous Integration server can upload to it. What matters is a plan to improve the metadata and this can be done over time. There can never be a big bang here, there is just too much content, and too many people relying on the content that's there. Projects that are deploying against oss.sonatype.org are subject to the procurement rules which are stringent. The artifacts are placed in a staging repository, rules are applied and if they all pass they get promoted otherwise they have to be corrected. No promotion unless all the rules pass. Only allowing Maven built projects doesn't make sense. All we need it the correct information. We honestly don't care if people build with Maven or not. We just need a high-quality POM, correct metadata, javadocs, sources, and signatures. This pure Maven repo would not be able to compete with Maven Central regarding size or the number of artifacts, but some OSS developers might prefer to use from and supply to this one instead of the big and ugly. This isn't really going to change or help anything. The existing content cannot change, the content going forward needs to be improved and that's what matters. Over time as the content improves the poorer quality submissions will just fall into disuse. Nexus can now help any project that wants to deploy high quality artifacts via oss.sonatype.org. The next step for us is allowing bundle submissions that are normally pushed into JIRA to be also submitted into a staging repository and run through the same set of rules. This will be available in Nexus 1.4. The last gap to fill will be repositories that directly sync and we'll provide a mechanism for that in Nexus as well. Ultimately we will build up these rules and if you don't pass them, by whatever gate you pass through, then your artifacts get rejected. We'll provide this in an easy to use form with Nexus but ultimately it doesn't matter how these rules are enforced as long as they are enforced. This is the only strategy that will work long-term. What's done has been done. What matters now helping projects do the right thing going forward. On Thu, Sep 24, 2009 at 6:44 PM, Brian Fox bri...@infinity.nu wrote: On Thu, Sep 24, 2009 at 3:16 PM, Albert Kurucz albert.kur...@gmail.com wrote: Requirements for the POMs are defined as: http://maven.apache.org/guides/mini/guide-central-repository-upload.html I call the artifact corrupt (regarding Maven Central Compliance) if the POM of the artifact does not fulfills the above requirements. There are corrupt ones have made it to the Central, because the guard was sleeping. Correct, but changing them is not an option because it will destabilize builds. This is a long standing rule that we do not remove or change the contents of central. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl
Re: Maven Central Repository - Cleanup Efforts
2009/9/25 Albert Kurucz albert.kur...@gmail.com: The pure Maven repo should say: We honestly don't care which Maven plugin the people build with, as long as that plugin is already checked into here. And why people would prefer to use libraries from the pure Maven repo? Quality. Being build-able has always been the target of OSS developments. Finally this could be achieved. (OK it won't come to Maven Central) Anyone care about having Maven Pure? Not me. Central is good enough if we add deprecation metadata, version comparison metadata, and if we fix a few small issues with the pom xsd. On Fri, Sep 25, 2009 at 8:36 AM, Albert Kurucz albert.kur...@gmail.com wrote: We just need a high-quality POM, correct metadata, javadocs, sources, and signatures. It is debatable is what you mean on high quality. For me (totally a Maven fan!) what makes the POM high quality? Its ability to build the project! I don't really care if it is full of maven-antrun-plugin, but build it by running mvn ... For some developers high quality really just means that the metadata is correct. Because of this opposition having two separate OSS repos (serving different needs?) makes sense. What is the right thing to do going forward? One question is whether to care about build ability or not! On Thu, Sep 24, 2009 at 10:56 PM, Jason van Zyl jvan...@sonatype.com wrote: On 2009-09-24, at 7:52 PM, Albert Kurucz wrote: Jason and Brian, thanks for the explanations. Understood, the policy of not removing anything from Maven Central serves a purpose. I wish there would be another publicly Maven repository, which is maintained with rules enforced. This repo could even have a rule (additional to the old and unenforced rules) that only Maven built projects can enter, maybe even more restriction: only the designated Continuous Integration server can upload to it. What matters is a plan to improve the metadata and this can be done over time. There can never be a big bang here, there is just too much content, and too many people relying on the content that's there. Projects that are deploying against oss.sonatype.org are subject to the procurement rules which are stringent. The artifacts are placed in a staging repository, rules are applied and if they all pass they get promoted otherwise they have to be corrected. No promotion unless all the rules pass. Only allowing Maven built projects doesn't make sense. All we need it the correct information. We honestly don't care if people build with Maven or not. We just need a high-quality POM, correct metadata, javadocs, sources, and signatures. This pure Maven repo would not be able to compete with Maven Central regarding size or the number of artifacts, but some OSS developers might prefer to use from and supply to this one instead of the big and ugly. This isn't really going to change or help anything. The existing content cannot change, the content going forward needs to be improved and that's what matters. Over time as the content improves the poorer quality submissions will just fall into disuse. Nexus can now help any project that wants to deploy high quality artifacts via oss.sonatype.org. The next step for us is allowing bundle submissions that are normally pushed into JIRA to be also submitted into a staging repository and run through the same set of rules. This will be available in Nexus 1.4. The last gap to fill will be repositories that directly sync and we'll provide a mechanism for that in Nexus as well. Ultimately we will build up these rules and if you don't pass them, by whatever gate you pass through, then your artifacts get rejected. We'll provide this in an easy to use form with Nexus but ultimately it doesn't matter how these rules are enforced as long as they are enforced. This is the only strategy that will work long-term. What's done has been done. What matters now helping projects do the right thing going forward. On Thu, Sep 24, 2009 at 6:44 PM, Brian Fox bri...@infinity.nu wrote: On Thu, Sep 24, 2009 at 3:16 PM, Albert Kurucz albert.kur...@gmail.com wrote: Requirements for the POMs are defined as: http://maven.apache.org/guides/mini/guide-central-repository-upload.html I call the artifact corrupt (regarding Maven Central Compliance) if the POM of the artifact does not fulfills the above requirements. There are corrupt ones have made it to the Central, because the guard was sleeping. Correct, but changing them is not an option because it will destabilize builds. This is a long standing rule that we do not remove or change the contents of central. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For
Re: Maven Central Repository - Cleanup Efforts
Le vendredi 25 septembre 2009, Stephen Connolly a écrit : For me, High quality is that: /project/(?parent/)(groupId|artifactId|version) are valid and do not reference properties /project/dependencies is valid and if there are any properties defined they are defined within the pom or it's parents /project/name /project/description /project/url +1 Bonus high quality is when it has /project/scm /project/issueTracking /project/developers /project/contributors +1 and if it is a project that builds using Maven 2 -1 on this one you can build your artifact the way you like, this doesn't change anything on the quality of the artifact itself and of its metadata = what counts for an artifact repository building with Maven, Ant+Maven Ant Tasks, or Ant + Ivy, Buildr, or any other tool doesn't change anything Hervé -Stephen - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Le vendredi 25 septembre 2009, Stephen Connolly a écrit : 2009/9/25 Albert Kurucz albert.kur...@gmail.com: The pure Maven repo should say: We honestly don't care which Maven plugin the people build with, as long as that plugin is already checked into here. And why people would prefer to use libraries from the pure Maven repo? Quality. Being build-able has always been the target of OSS developments. Finally this could be achieved. (OK it won't come to Maven Central) Anyone care about having Maven Pure? Not me. Central is good enough if we add deprecation metadata, +1 version comparison metadata, -0: need to discuss more on this IMHO (on the dev list probably) and if we fix a few small issues with the pom xsd. need eplanations on this one Hervé - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On Fri September 25 2009 12:07:09 pm Stephen Connolly wrote: For me, High quality is that: /project/(?parent/)(groupId|artifactId|version) are valid and do not reference properties /project/dependencies is valid and if there are any properties defined they are defined within the pom or it's parents /project/name /project/description /project/url And I would add: /project/licenses as that's very important to know if I can use the artifact or not. Bonus high quality is when it has /project/scm /project/issueTracking /project/developers /project/contributors I would add /project/organization here as well. Dan and if it is a project that builds using Maven 2 -Stephen -- Daniel Kulp dk...@apache.org http://www.dankulp.com/blog - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
2009/9/25 Hervé BOUTEMY herve.bout...@free.fr: Le vendredi 25 septembre 2009, Stephen Connolly a écrit : For me, High quality is that: /project/(?parent/)(groupId|artifactId|version) are valid and do not reference properties /project/dependencies is valid and if there are any properties defined they are defined within the pom or it's parents /project/name /project/description /project/url +1 Bonus high quality is when it has /project/scm /project/issueTracking /project/developers /project/contributors +1 and if it is a project that builds using Maven 2 -1 on this one you can build your artifact the way you like, this doesn't change anything on the quality of the artifact itself and of its metadata = what counts for an artifact repository building with Maven, Ant+Maven Ant Tasks, or Ant + Ivy, Buildr, or any other tool doesn't change anything No the tool does not change anything... but it's a bonus if it's built with maven ;-) Hervé -Stephen - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
2009/9/25 Hervé BOUTEMY herve.bout...@free.fr: Le vendredi 25 septembre 2009, Stephen Connolly a écrit : 2009/9/25 Albert Kurucz albert.kur...@gmail.com: The pure Maven repo should say: We honestly don't care which Maven plugin the people build with, as long as that plugin is already checked into here. And why people would prefer to use libraries from the pure Maven repo? Quality. Being build-able has always been the target of OSS developments. Finally this could be achieved. (OK it won't come to Maven Central) Anyone care about having Maven Pure? Not me. Central is good enough if we add deprecation metadata, +1 version comparison metadata, -0: need to discuss more on this IMHO (on the dev list probably) +1 to discussing more. I'll start a thread with my thoughts next week and if we fix a few small issues with the pom xsd. need eplanations on this one Hervé - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Technically it is possible to manage 3 different OSS Maven repos. 1. The good enough This is the current Maven Central No rules, only recommendations: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Note: it is not a rule what is not enforced! 2. The good This would be the Maven Purgatory. Same rules applied as above, but rules enforced. Mistakes of rule-enforcements corrected by purge. 3. The best Call it the Maven Heaven Same rules, but only for Maven built projects. Good dream, friends! On Fri, Sep 25, 2009 at 12:18 PM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: 2009/9/25 Hervé BOUTEMY herve.bout...@free.fr: Le vendredi 25 septembre 2009, Stephen Connolly a écrit : 2009/9/25 Albert Kurucz albert.kur...@gmail.com: The pure Maven repo should say: We honestly don't care which Maven plugin the people build with, as long as that plugin is already checked into here. And why people would prefer to use libraries from the pure Maven repo? Quality. Being build-able has always been the target of OSS developments. Finally this could be achieved. (OK it won't come to Maven Central) Anyone care about having Maven Pure? Not me. Central is good enough if we add deprecation metadata, +1 version comparison metadata, -0: need to discuss more on this IMHO (on the dev list probably) +1 to discussing more. I'll start a thread with my thoughts next week and if we fix a few small issues with the pom xsd. need eplanations on this one Hervé - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On Fri, Sep 25, 2009 at 12:44 PM, Albert Kurucz albert.kur...@gmail.com wrote: Technically it is possible to manage 3 different OSS Maven repos. 1. The good enough This is the current Maven Central No rules, only recommendations: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Note: it is not a rule what is not enforced! For what purpose? Again this is effectively a dead repo. 2. The good This would be the Maven Purgatory. Same rules applied as above, but rules enforced. Mistakes of rule-enforcements corrected by purge. Or this is the new data in Central. 3. The best Call it the Maven Heaven Same rules, but only for Maven built projects. Pretty much useless. The tool used to build is completely irrelevant. Such a repo would be so barren as to be hardly useful at all. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
For the additional requirement, getting into the pure Maven repo (The best), I really meant: build-able. Me too, I don't really care what tool you use to build it as long as the tool is already checked in and you only use the attached metadata and the attached sources. But a tool like this, in my eyes is just another Maven plugin. Why care about being build-able? Non-buildable source is fine as a gesture of goodwill, but I think if the public source isn't buildable, we're gonna end up with egg on our faces. Quote from: http://mail.opensolaris.org/pipermail/opensolaris-discuss/2005-February/002170.html On Fri, Sep 25, 2009 at 4:31 PM, Brian Fox bri...@infinity.nu wrote: On Fri, Sep 25, 2009 at 12:44 PM, Albert Kurucz albert.kur...@gmail.com wrote: Technically it is possible to manage 3 different OSS Maven repos. 1. The good enough This is the current Maven Central No rules, only recommendations: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Note: it is not a rule what is not enforced! For what purpose? Again this is effectively a dead repo. 2. The good This would be the Maven Purgatory. Same rules applied as above, but rules enforced. Mistakes of rule-enforcements corrected by purge. Or this is the new data in Central. 3. The best Call it the Maven Heaven Same rules, but only for Maven built projects. Pretty much useless. The tool used to build is completely irrelevant. Such a repo would be so barren as to be hardly useful at all. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Maven Central Repository - Cleanup Efforts
According to http://www.think88.com/resources/Maven_white_paper_june_2009.pdf Sonatype maintains a central repository with more than 90,000 artifacts, consuming more than 60 GB of storage. In addition to the artifacts themselves, the Maven Central Repository also contains a POM-file for each of the artifacts, containing the meta data for these artifacts. To protect the integrity of the repository, Sonatype checks the meta data for correctness. If the meta data is erroneous, the artifact can’t be uploaded. There are some artifacts on the Maven Central Repo, with corrupt meta data. Is there an issue tracker where such corrupt artifacts could be reported? What is the policy of Sonatype handling this issue? 1. Will corrupt artifacts be removed (causing a chain reaction, because Central hosted dependents will loose their dependencies, which are required to be also on Central)? 2. Or is it in Sonatype's plan to start a new Central Repo, which is now better scanned? 3. Or ignorance? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
The MEV project on jira.codehaus.org is where we collect data to fix these known issues. In general the policy is not to change existing files (checksums is one exception), and also we need to be careful to not insert pom files in place of missing ones. Even doing this can cause user's builds to change in subtle ways. There are plans to get some of this cleaned up and mainly focus on stopping the garbage from getting in there in the first place. On Thu, Sep 24, 2009 at 7:40 AM, Albert Kurucz albert.kur...@gmail.com wrote: According to http://www.think88.com/resources/Maven_white_paper_june_2009.pdf Sonatype maintains a central repository with more than 90,000 artifacts, consuming more than 60 GB of storage. In addition to the artifacts themselves, the Maven Central Repository also contains a POM-file for each of the artifacts, containing the meta data for these artifacts. To protect the integrity of the repository, Sonatype checks the meta data for correctness. If the meta data is erroneous, the artifact can’t be uploaded. There are some artifacts on the Maven Central Repo, with corrupt meta data. Is there an issue tracker where such corrupt artifacts could be reported? What is the policy of Sonatype handling this issue? 1. Will corrupt artifacts be removed (causing a chain reaction, because Central hosted dependents will loose their dependencies, which are required to be also on Central)? 2. Or is it in Sonatype's plan to start a new Central Repo, which is now better scanned? 3. Or ignorance? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Brian, Probably no one ever suggested that the corrupt artifacts should be fixed, because fixing is not even possible (every artifact must be signed by the creator). The question is whether you prefer the corrupt ones to be removed or just wait until they become obsolete and no one would care about that they stay or not (quantity or quality has the priority?). The work on preventing the ugly ones from getting in I agree has the first priority. But will you address (and when?) this second most important task, the garbage collection? On Thu, Sep 24, 2009 at 1:13 PM, Brian Fox bri...@infinity.nu wrote: The MEV project on jira.codehaus.org is where we collect data to fix these known issues. In general the policy is not to change existing files (checksums is one exception), and also we need to be careful to not insert pom files in place of missing ones. Even doing this can cause user's builds to change in subtle ways. There are plans to get some of this cleaned up and mainly focus on stopping the garbage from getting in there in the first place. On Thu, Sep 24, 2009 at 7:40 AM, Albert Kurucz albert.kur...@gmail.com wrote: According to http://www.think88.com/resources/Maven_white_paper_june_2009.pdf Sonatype maintains a central repository with more than 90,000 artifacts, consuming more than 60 GB of storage. In addition to the artifacts themselves, the Maven Central Repository also contains a POM-file for each of the artifacts, containing the meta data for these artifacts. To protect the integrity of the repository, Sonatype checks the meta data for correctness. If the meta data is erroneous, the artifact can’t be uploaded. There are some artifacts on the Maven Central Repo, with corrupt meta data. Is there an issue tracker where such corrupt artifacts could be reported? What is the policy of Sonatype handling this issue? 1. Will corrupt artifacts be removed (causing a chain reaction, because Central hosted dependents will loose their dependencies, which are required to be also on Central)? 2. Or is it in Sonatype's plan to start a new Central Repo, which is now better scanned? 3. Or ignorance? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Brian, MEV is for Maven Evangelism issues. Are you sure maintenance issues of any given repo should belong to that? On Thu, Sep 24, 2009 at 1:13 PM, Brian Fox bri...@infinity.nu wrote: The MEV project on jira.codehaus.org is where we collect data to fix these known issues. In general the policy is not to change existing files (checksums is one exception), and also we need to be careful to not insert pom files in place of missing ones. Even doing this can cause user's builds to change in subtle ways. There are plans to get some of this cleaned up and mainly focus on stopping the garbage from getting in there in the first place. On Thu, Sep 24, 2009 at 7:40 AM, Albert Kurucz albert.kur...@gmail.com wrote: According to http://www.think88.com/resources/Maven_white_paper_june_2009.pdf Sonatype maintains a central repository with more than 90,000 artifacts, consuming more than 60 GB of storage. In addition to the artifacts themselves, the Maven Central Repository also contains a POM-file for each of the artifacts, containing the meta data for these artifacts. To protect the integrity of the repository, Sonatype checks the meta data for correctness. If the meta data is erroneous, the artifact can’t be uploaded. There are some artifacts on the Maven Central Repo, with corrupt meta data. Is there an issue tracker where such corrupt artifacts could be reported? What is the policy of Sonatype handling this issue? 1. Will corrupt artifacts be removed (causing a chain reaction, because Central hosted dependents will loose their dependencies, which are required to be also on Central)? 2. Or is it in Sonatype's plan to start a new Central Repo, which is now better scanned? 3. Or ignorance? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On Thu, Sep 24, 2009 at 12:18 PM, Albert Kurucz albert.kur...@gmail.com wrote: Brian, MEV is for Maven Evangelism issues. Are you sure maintenance issues of any given repo should belong to that? For any given repo no, for Central, yes. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On Thu, Sep 24, 2009 at 12:04 PM, Albert Kurucz albert.kur...@gmail.com wrote: Brian, Probably no one ever suggested that the corrupt artifacts should be fixed, because fixing is not even possible (every artifact must be signed by the creator). The question is whether you prefer the corrupt ones to be removed or just wait until they become obsolete and no one would care about that they stay or not (quantity or quality has the priority?). To take this further you must define corrupt. If something is demonstrated truly and completely broken and/or dangerous, it will be removed immediately. If a pom is missing a dependency, that doesn't qualify, it's up to the project to fix and produce a new release in that case. The work on preventing the ugly ones from getting in I agree has the first priority. But will you address (and when?) this second most important task, the garbage collection? We are actively working on technology to address this, expect details in the near future. What do you mean by garbage collection? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Requirements for the POMs are defined as: http://maven.apache.org/guides/mini/guide-central-repository-upload.html I call the artifact corrupt (regarding Maven Central Compliance) if the POM of the artifact does not fulfills the above requirements. There are corrupt ones have made it to the Central, because the guard was sleeping. Rules are enforced or here comes the anarchy... The severity of the damage? The Central should be an example of good practice. Otherwise... On Thu, Sep 24, 2009 at 4:41 PM, Brian Fox bri...@infinity.nu wrote: On Thu, Sep 24, 2009 at 12:04 PM, Albert Kurucz albert.kur...@gmail.com wrote: Brian, Probably no one ever suggested that the corrupt artifacts should be fixed, because fixing is not even possible (every artifact must be signed by the creator). The question is whether you prefer the corrupt ones to be removed or just wait until they become obsolete and no one would care about that they stay or not (quantity or quality has the priority?). To take this further you must define corrupt. If something is demonstrated truly and completely broken and/or dangerous, it will be removed immediately. If a pom is missing a dependency, that doesn't qualify, it's up to the project to fix and produce a new release in that case. The work on preventing the ugly ones from getting in I agree has the first priority. But will you address (and when?) this second most important task, the garbage collection? We are actively working on technology to address this, expect details in the near future. What do you mean by garbage collection? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Garbage collection? Identify corrupted ones and remove. On Thu, Sep 24, 2009 at 4:41 PM, Brian Fox bri...@infinity.nu wrote: On Thu, Sep 24, 2009 at 12:04 PM, Albert Kurucz albert.kur...@gmail.com wrote: Brian, Probably no one ever suggested that the corrupt artifacts should be fixed, because fixing is not even possible (every artifact must be signed by the creator). The question is whether you prefer the corrupt ones to be removed or just wait until they become obsolete and no one would care about that they stay or not (quantity or quality has the priority?). To take this further you must define corrupt. If something is demonstrated truly and completely broken and/or dangerous, it will be removed immediately. If a pom is missing a dependency, that doesn't qualify, it's up to the project to fix and produce a new release in that case. The work on preventing the ugly ones from getting in I agree has the first priority. But will you address (and when?) this second most important task, the garbage collection? We are actively working on technology to address this, expect details in the near future. What do you mean by garbage collection? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On 2009-09-24, at 3:16 PM, Albert Kurucz wrote: Requirements for the POMs are defined as: http://maven.apache.org/guides/mini/guide-central-repository-upload.html I call the artifact corrupt (regarding Maven Central Compliance) if the POM of the artifact does not fulfills the above requirements. There are corrupt ones have made it to the Central, because the guard was sleeping. The growth of the central repository is a function of our initial flexibility and, quite honestly, lack of tooling to enforce what we now consider necessary. Hindsight is always 20/20. It's easy to look now at all the problems in the repository with a critical eye, but the fact of the matter is if we were extremely strict to begin with we probably would have stunted its growth. Maven use has grown, the use of the repository has grown and problems with metadata are now felt globally. We are talking steps to clean this up and make it easier for projects to do the right thing. The fact still remains that Maven Central has always been a public service and a point of convenience for Maven users. That was the impetus for its creation. We have probably been a bit too lenient insofar as letting organizations rsync directly but live and learn. We do have the tools now in Nexus to prevent garbage from going into the repository but its an organizational and project choice to use these tools. The plan going forward is to encourage projects to do the right thing. We're not going to retroactively remove or change things from Maven central. I have never recommended anyone doing real development in an organization connect directly to Maven central. It's a great way to populate the repository you have internally but the management of the binary dependencies is just as important as the management of your source. People have traditionally done this in house using Apache and having to fix things internally but these days there are tools like Nexus, Archiva and Artifactory. There is no silver bullet to have a healthy artifact repository that you can depend on in your organization. It takes some work, just like anything else. Can we make that easier for people? Sure, and we're making steps toward that goal on a daily basis. We'll have some tools in Nexus that we're going to make available to OSS projects with the 1.4 release which should start relieving a lot of the pain and ensure the quality we need. Rules are enforced or here comes the anarchy... The severity of the damage? The Central should be an example of good practice. Otherwise... On Thu, Sep 24, 2009 at 4:41 PM, Brian Fox bri...@infinity.nu wrote: On Thu, Sep 24, 2009 at 12:04 PM, Albert Kurucz albert.kur...@gmail.com wrote: Brian, Probably no one ever suggested that the corrupt artifacts should be fixed, because fixing is not even possible (every artifact must be signed by the creator). The question is whether you prefer the corrupt ones to be removed or just wait until they become obsolete and no one would care about that they stay or not (quantity or quality has the priority?). To take this further you must define corrupt. If something is demonstrated truly and completely broken and/or dangerous, it will be removed immediately. If a pom is missing a dependency, that doesn't qualify, it's up to the project to fix and produce a new release in that case. The work on preventing the ugly ones from getting in I agree has the first priority. But will you address (and when?) this second most important task, the garbage collection? We are actively working on technology to address this, expect details in the near future. What do you mean by garbage collection? - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On Thu, Sep 24, 2009 at 3:16 PM, Albert Kurucz albert.kur...@gmail.com wrote: Requirements for the POMs are defined as: http://maven.apache.org/guides/mini/guide-central-repository-upload.html I call the artifact corrupt (regarding Maven Central Compliance) if the POM of the artifact does not fulfills the above requirements. There are corrupt ones have made it to the Central, because the guard was sleeping. Correct, but changing them is not an option because it will destabilize builds. This is a long standing rule that we do not remove or change the contents of central. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
Jason and Brian, thanks for the explanations. Understood, the policy of not removing anything from Maven Central serves a purpose. I wish there would be another publicly Maven repository, which is maintained with rules enforced. This repo could even have a rule (additional to the old and unenforced rules) that only Maven built projects can enter, maybe even more restriction: only the designated Continuous Integration server can upload to it. This pure Maven repo would not be able to compete with Maven Central regarding size or the number of artifacts, but some OSS developers might prefer to use from and supply to this one instead of the big and ugly. On Thu, Sep 24, 2009 at 6:44 PM, Brian Fox bri...@infinity.nu wrote: On Thu, Sep 24, 2009 at 3:16 PM, Albert Kurucz albert.kur...@gmail.com wrote: Requirements for the POMs are defined as: http://maven.apache.org/guides/mini/guide-central-repository-upload.html I call the artifact corrupt (regarding Maven Central Compliance) if the POM of the artifact does not fulfills the above requirements. There are corrupt ones have made it to the Central, because the guard was sleeping. Correct, but changing them is not an option because it will destabilize builds. This is a long standing rule that we do not remove or change the contents of central. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Central Repository - Cleanup Efforts
On 2009-09-24, at 7:52 PM, Albert Kurucz wrote: Jason and Brian, thanks for the explanations. Understood, the policy of not removing anything from Maven Central serves a purpose. I wish there would be another publicly Maven repository, which is maintained with rules enforced. This repo could even have a rule (additional to the old and unenforced rules) that only Maven built projects can enter, maybe even more restriction: only the designated Continuous Integration server can upload to it. What matters is a plan to improve the metadata and this can be done over time. There can never be a big bang here, there is just too much content, and too many people relying on the content that's there. Projects that are deploying against oss.sonatype.org are subject to the procurement rules which are stringent. The artifacts are placed in a staging repository, rules are applied and if they all pass they get promoted otherwise they have to be corrected. No promotion unless all the rules pass. Only allowing Maven built projects doesn't make sense. All we need it the correct information. We honestly don't care if people build with Maven or not. We just need a high-quality POM, correct metadata, javadocs, sources, and signatures. This pure Maven repo would not be able to compete with Maven Central regarding size or the number of artifacts, but some OSS developers might prefer to use from and supply to this one instead of the big and ugly. This isn't really going to change or help anything. The existing content cannot change, the content going forward needs to be improved and that's what matters. Over time as the content improves the poorer quality submissions will just fall into disuse. Nexus can now help any project that wants to deploy high quality artifacts via oss.sonatype.org. The next step for us is allowing bundle submissions that are normally pushed into JIRA to be also submitted into a staging repository and run through the same set of rules. This will be available in Nexus 1.4. The last gap to fill will be repositories that directly sync and we'll provide a mechanism for that in Nexus as well. Ultimately we will build up these rules and if you don't pass them, by whatever gate you pass through, then your artifacts get rejected. We'll provide this in an easy to use form with Nexus but ultimately it doesn't matter how these rules are enforced as long as they are enforced. This is the only strategy that will work long-term. What's done has been done. What matters now helping projects do the right thing going forward. On Thu, Sep 24, 2009 at 6:44 PM, Brian Fox bri...@infinity.nu wrote: On Thu, Sep 24, 2009 at 3:16 PM, Albert Kurucz albert.kur...@gmail.com wrote: Requirements for the POMs are defined as: http://maven.apache.org/guides/mini/guide-central-repository-upload.html I call the artifact corrupt (regarding Maven Central Compliance) if the POM of the artifact does not fulfills the above requirements. There are corrupt ones have made it to the Central, because the guard was sleeping. Correct, but changing them is not an option because it will destabilize builds. This is a long standing rule that we do not remove or change the contents of central. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org Thanks, Jason -- Jason van Zyl Founder, Apache Maven http://twitter.com/jvanzyl -- - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
