lock down plugin versions in enterprise poms?

[Ravi Luthra <co...@gmail.com>]

At our company we maintain a top-level enterprise pom that all projects
inherit. We're considering adding versions to lock down our plugin versions.
What we are trying to avoid is having our build break because of a
third-party plugin upgrading on us unexpectedly.

I've heard that locking down the plugin version is a bad practice mostly
because of major versions of Maven being released. Is this really a bad
practice?

What consequences would we face if we locked down our versions and upgraded
them on our own, rather than allowing Maven to choose for us?

Thanks,
Ravi

Re: lock down plugin versions in enterprise poms?

[Justin Edelson <ju...@gmail.com>]

You should lock down plugin versions in your enterprise pom. Whomever told you otherwise was on crack.

Justin

On May 4, 2010, at 7:01 PM, Ravi Luthra <co...@gmail.com> wrote:

> At our company we maintain a top-level enterprise pom that all projects
> inherit. We're considering adding versions to lock down our plugin versions.
> What we are trying to avoid is having our build break because of a
> third-party plugin upgrading on us unexpectedly.
> 
> I've heard that locking down the plugin version is a bad practice mostly
> because of major versions of Maven being released. Is this really a bad
> practice?
> 
> What consequences would we face if we locked down our versions and upgraded
> them on our own, rather than allowing Maven to choose for us?
> 
> Thanks,
> Ravi

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: lock down plugin versions in enterprise poms?

[Ravi Luthra <co...@gmail.com>]

Thanks all, we know where to go from here!

On Tue, May 4, 2010 at 6:03 PM, Jesse Farinacci <ji...@gmail.com> wrote:

> Hi Ravi,
>
> On Tue, May 4, 2010 at 7:01 PM, Ravi Luthra <co...@gmail.com> wrote:
> >
> > I've heard that locking down the plugin version is a bad practice mostly
> > because of major versions of Maven being released. Is this really a bad
> > practice?
>
> Not only is it a best practice, but there is support for you to ensure
> you've done your job well[1] as well as locate new versions of plugins
> for you to upgrade onto.
>
>  [1]
> http://maven.apache.org/enforcer/enforcer-rules/requirePluginVersions.html
>  [2]
> http://mojo.codehaus.org/versions-maven-plugin/display-plugin-updates-mojo.html
>
> > What consequences would we face if we locked down our versions and
> upgraded
> > them on our own, rather than allowing Maven to choose for us?
>
> The only consequence would be that you'd not pick up any critical
> plugin updates due to bad plugins, but I'm not very convinced by this.
> Usually monitoring for [ANN] on maven-users is sufficient to keep
> abreast of changes.
>
> -Jesse
>
> --
> There are 10 types of people in this world, those
> that can read binary and those that can not.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

Re: lock down plugin versions in enterprise poms?

[Jesse Farinacci <ji...@gmail.com>]

Hi Ravi,

On Tue, May 4, 2010 at 7:01 PM, Ravi Luthra <co...@gmail.com> wrote:
>
> I've heard that locking down the plugin version is a bad practice mostly
> because of major versions of Maven being released. Is this really a bad
> practice?

Not only is it a best practice, but there is support for you to ensure
you've done your job well[1] as well as locate new versions of plugins
for you to upgrade onto.

 [1] http://maven.apache.org/enforcer/enforcer-rules/requirePluginVersions.html
 [2] http://mojo.codehaus.org/versions-maven-plugin/display-plugin-updates-mojo.html

> What consequences would we face if we locked down our versions and upgraded
> them on our own, rather than allowing Maven to choose for us?

The only consequence would be that you'd not pick up any critical
plugin updates due to bad plugins, but I'm not very convinced by this.
Usually monitoring for [ANN] on maven-users is sufficient to keep
abreast of changes.

-Jesse

-- 
There are 10 types of people in this world, those
that can read binary and those that can not.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: lock down plugin versions in enterprise poms?

[Stephen Connolly <st...@gmail.com>]

On 5 May 2010 00:01, Ravi Luthra <co...@gmail.com> wrote:

> At our company we maintain a top-level enterprise pom that all projects
> inherit. We're considering adding versions to lock down our plugin
> versions.
> What we are trying to avoid is having our build break because of a
> third-party plugin upgrading on us unexpectedly.
>
> I've heard that locking down the plugin version is a bad practice mostly
> because of major versions of Maven being released. Is this really a bad
> practice?
>

You heard wrong.

Locking down the plugin versions is best practice


>
> What consequences would we face if we locked down our versions and upgraded
> them on our own, rather than allowing Maven to choose for us?
>
> Thanks,
> Ravi
>

Re: lock down plugin versions in enterprise poms?

[Manfred Moser <ma...@mosabuam.com>]

It is totally best practice to lock your plugin versions and much more
down. Depending on the usage of your company pom and the content you could
even introduce a company super pom.

Have a look here for what I mean.

http://www.mosabuam.com/2009/10/company-super-pom-a-maven-practice

manfred

> At our company we maintain a top-level enterprise pom that all projects
> inherit. We're considering adding versions to lock down our plugin
> versions.
> What we are trying to avoid is having our build break because of a
> third-party plugin upgrading on us unexpectedly.
>
> I've heard that locking down the plugin version is a bad practice mostly
> because of major versions of Maven being released. Is this really a bad
> practice?
>
> What consequences would we face if we locked down our versions and
> upgraded
> them on our own, rather than allowing Maven to choose for us?
>
> Thanks,
> Ravi
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org