The hash thing ONLY works for a limited set of changes to a pom.xml. For example, in the past there have been changes that affect dependencies like changing scopes from runtime to provided or similar. I've also seen changes to poms that change groupIds of dependencies (that were also moved in the repository).
Many of those changes would (and did) cause build breakages even if the md5 hash thing was done. Until they REALLY do limit the changes to those that are COMPLETELY safe, we're all at risk. Then the question DOES arise: how WOULD they make changes like dependency changes, etc..? Dan On Friday 19 May 2006 18:56, Wayne Fay wrote: > -Or- like I said in my previous email (and unless I'm mistaken, what I > believe the Maven team is planning on implementing), they should add > hashing of the pom itself and check that file in addition to the > binary jar when looking for and downloading updates. > > This is also a reasonable fix to the solution, imo. Especially > considering the "difficulty" related to matching poms with a certain > version tag to binaries with another version tag (ie 1.4.2-rc1 and > -rc2 vs 1.4.2, etc). > > Wayne > > On 5/19/06, Orjan Austvold <[EMAIL PROTECTED]> wrote: > > Daniel Kulp wrote: > > > Right. But if an error is detected in a pom, why does the pom have > > > to be updated. For example, if there is a: > > > > > > foo/1.0/foo-1.0.pom > > > > > > why can't we do something like Gentoo Linux and leave that alone > > > and then add a: > > > foo/1.0-R2/foo-1.0-R2.pom > > > > > > It's stilll "foo 1.0 as release by the foo developers", but its the > > > R2 "update" as far as the maven repository is concerned. If the > > > foo developers produce a 1.0.1, fine. We create a: > > > foo/1.0.1/foo-1.0.1.pom > > > > > > Thus, existing apps and such that depend on the broken behavior are > > > OK and others can migrate to the "correct" poms as needed. > > > > > > Anyway, I COMPLETELY agree that stuff put up on ibiblio as a > > > release, correct or broken, should stay that way. > > > > Right on, Daniel! Introduction of non-maven artifacts could adopt the > > scheme from Gentoo (or Debian (Ubuntu)) to provide mavenized released > > in which versions numbers could document a change made by "Maven" > > number X. Every change in a fixed release of the artifact (POM or > > whatever) would increase the X. > > > > A release to the repository has to be write-once. If this is not > > true, then Maven has to come with a footnote telling everybody to > > delete their local repository if a build goes astray. > > > > > > Ørjan > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- J. Daniel Kulp [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
