Comparing specifying repositories in pom vs. settings.xml?

["KARR, DAVID" <dk...@att.com>]

One thing I run into when jumping between different projects is different expectations for what maven repos I need to be using.  In the past, I had to have multiple copies of "~/.m2/settings.xml" lying around, and I would hack the specified repos when I needed to.

Recently, I saw a situation where the required repositories were simply defined in the top-level pom for the project.  If this is done consistently, there's no longer any need to hack the settings.xml file.

I seem to remember seeing some advice that specifying repositories in the POM is a bad practice.  If I'm remembering this correctly, this seems odd.  Forcing the correct repos to be defined in the settings.xml works against "repeatable builds".

What is the recommended advice here?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

RE: Comparing specifying repositories in pom vs. settings.xml?

[Robert Patrick <ro...@oracle.com>]

My team always favors defining repos in the top-level (parent) POM.  If we require special project-specific settings that must be in settings.xml, we put settings.xml in the top-level of the project source tree and check it in...

For publishing projects to our binary repo for consumption by other groups, we simply use the flatten-maven-plugin to strip out the repo (and other build-related stuff) from the published POM.


-----Original Message-----
From: KARR, DAVID [mailto:dk068x@att.com] 
Sent: Monday, October 17, 2016 3:03 PM
To: users@maven.apache.org
Subject: Comparing specifying repositories in pom vs. settings.xml?

One thing I run into when jumping between different projects is different expectations for what maven repos I need to be using.  In the past, I had to have multiple copies of "~/.m2/settings.xml" lying around, and I would hack the specified repos when I needed to.

Recently, I saw a situation where the required repositories were simply defined in the top-level pom for the project.  If this is done consistently, there's no longer any need to hack the settings.xml file.

I seem to remember seeing some advice that specifying repositories in the POM is a bad practice.  If I'm remembering this correctly, this seems odd.  Forcing the correct repos to be defined in the settings.xml works against "repeatable builds".

What is the recommended advice here?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

RE: Comparing specifying repositories in pom vs. settings.xml?

["Gopalakrishnan, Gopal (CORP)" <Go...@ADP.com>]

Is this similar to what I am experiencing? Perhaps not.

My build fails when I change to jdk1.8. Works perfectly in jdk1.7 ... With no changes other than the change to the jdk ...

Build fails ... cannot resolve dependency ...

Any suggestions?

-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org] 
Sent: Tuesday, October 18, 2016 8:00 AM
To: Maven Users List
Subject: Re: Comparing specifying repositories in pom vs. settings.xml?

Yes, some years ago we did exactly this; most academic open source projects then didn't bother with Maven Central and we relied on 8 different open repositories around the world, often with dubious hostnames like
rpc268.cs.example.edu:8080 -- this meant that although the build was reproducible for everyone at the time; often just one year down the line those repositories might have gone offline and caused long timeouts - or worse, serve a generic HTML page no matter what you request, giving checksum errors.

So now the build of the old tag would fail, but worse, released modules that ultimately had that project pom as parent also started failing as dependency in newer code because those <repositories> are also consulted for transitive dependencies. (Even if that particular repo was not needed, Maven does not generally know which repo for which deps and consults all)

So I would say, only add stable long-term repos to the parent pom, e.g.
springsource or bintray repositories, while repo-of-the-day should be handled through a proxy Artifactory or Nexus server configured in .settings
(enterprise) or top level pom (business open source), the proxy would then keep caches for a rainy day. Anything released open source should be pushed to Central (or at least a single place), even if it was made by someone who didn't bother themselves.

On 18 Oct 2016 2:14 pm, "Curtis Rueden" <ct...@wisc.edu> wrote:

> > I'm trying, without success, to imagine why you do not simply 
> > accumulate <server> elements as required.
>
> Wouldn't that cause Maven to ping every server sequentially for every 
> needed artifact?
>
> Better to set up a Maven repository manager (Nexus, Artifactory, etc.) 
> and proxy all the needed sources, no? Then your settings.xml is always 
> constant, pointing at your master Nexus, which groups all your needed 
> repositories. Your build is reproducible and remains resilient to 
> otherwise disruptive remote repository changes -- as long as your 
> master Nexus does not change.
>
>
> On Tue, Oct 18, 2016 at 8:03 AM, Mark H. Wood <mw...@iupui.edu> wrote:
>
> > On Mon, Oct 17, 2016 at 08:03:03PM +0000, KARR, DAVID wrote:
> > > One thing I run into when jumping between different projects is
> > different expectations for what maven repos I need to be using.  In 
> > the past, I had to have multiple copies of "~/.m2/settings.xml" 
> > lying around, and I would hack the specified repos when I needed to.
> >
> > I'm trying, without success, to imagine why you do not simply 
> > accumulate <server> elements as required.  Before long you should 
> > reach a state in which new additions are extremely rare.
> >
> > --
> > Mark H. Wood
> > Lead Technology Analyst
> >
> > University Library
> > Indiana University - Purdue University Indianapolis
> > 755 W. Michigan Street
> > Indianapolis, IN 46202
> > 317-274-0749
> > www.ulib.iupui.edu
> >
>

----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Comparing specifying repositories in pom vs. settings.xml?

[Stian Soiland-Reyes <st...@apache.org>]

Yes, some years ago we did exactly this; most academic open source projects
then didn't bother with Maven Central and we relied on 8 different open
repositories around the world, often with dubious hostnames like
rpc268.cs.example.edu:8080 -- this meant that although the build was
reproducible for everyone at the time; often just one year down the line
those repositories might have gone offline and caused long timeouts - or
worse, serve a generic HTML page no matter what you request, giving
checksum errors.

So now the build of the old tag would fail, but worse, released modules
that ultimately had that project pom as parent also started failing as
dependency in newer code because those <repositories> are also consulted
for transitive dependencies. (Even if that particular repo was not needed,
Maven does not generally know which repo for which deps and consults all)

So I would say, only add stable long-term repos to the parent pom, e.g.
springsource or bintray repositories, while repo-of-the-day should be
handled through a proxy Artifactory or Nexus server configured in .settings
(enterprise) or top level pom (business open source), the proxy would then
keep caches for a rainy day. Anything released open source should be pushed
to Central (or at least a single place), even if it was made by someone who
didn't bother themselves.

On 18 Oct 2016 2:14 pm, "Curtis Rueden" <ct...@wisc.edu> wrote:

> > I'm trying, without success, to imagine why you do not simply
> > accumulate <server> elements as required.
>
> Wouldn't that cause Maven to ping every server sequentially for every
> needed artifact?
>
> Better to set up a Maven repository manager (Nexus, Artifactory, etc.) and
> proxy all the needed sources, no? Then your settings.xml is always
> constant, pointing at your master Nexus, which groups all your needed
> repositories. Your build is reproducible and remains resilient to otherwise
> disruptive remote repository changes -- as long as your master Nexus does
> not change.
>
>
> On Tue, Oct 18, 2016 at 8:03 AM, Mark H. Wood <mw...@iupui.edu> wrote:
>
> > On Mon, Oct 17, 2016 at 08:03:03PM +0000, KARR, DAVID wrote:
> > > One thing I run into when jumping between different projects is
> > different expectations for what maven repos I need to be using.  In the
> > past, I had to have multiple copies of "~/.m2/settings.xml" lying around,
> > and I would hack the specified repos when I needed to.
> >
> > I'm trying, without success, to imagine why you do not simply
> > accumulate <server> elements as required.  Before long you should reach
> > a state in which new additions are extremely rare.
> >
> > --
> > Mark H. Wood
> > Lead Technology Analyst
> >
> > University Library
> > Indiana University - Purdue University Indianapolis
> > 755 W. Michigan Street
> > Indianapolis, IN 46202
> > 317-274-0749
> > www.ulib.iupui.edu
> >
>

Re: Comparing specifying repositories in pom vs. settings.xml?

[ec...@zusammenkunft.net]

Hello,

You can have multiple groups (but I have never seen hundreds or thousands in use). In our case we have virtual repos only based on the product status and a separate virtual one for build time (plugin) dependencies.

Btw one more reason for using different settings if you work on projects with different repositories is also the local repository cache. While it does remeber where an artifact has come from, it does not cleanly isolate repos

So when you build something which should not use a specific repo it might still discover the artifacts. So when you set up different settings (one for company, one for open source) do not only specify different repos and mirrors, but also a different local path.

Gruss
Bernd
-- 
http://bernd.eckenfels.net


Von: Robert Patrick
Gesendet: Dienstag, 18. Oktober 2016 15:57
An: Maven Users List
Betreff: RE: Comparing specifying repositories in pom vs. settings.xml?

But in a large corporate environment, the centralized repository manager can house hundreds/thousands of repositories so unless you want to virtualize the entire set of repositories (which tends to make the repository manager slower), you still need to specify the repositories to search, right? 


-----Original Message-----
From: Curtis Rueden [mailto:ctrueden@wisc.edu] 
Sent: Tuesday, October 18, 2016 8:14 AM
To: Maven Users List
Subject: Re: Comparing specifying repositories in pom vs. settings.xml?

> I'm trying, without success, to imagine why you do not simply 
> accumulate <server> elements as required.

Wouldn't that cause Maven to ping every server sequentially for every needed artifact?

Better to set up a Maven repository manager (Nexus, Artifactory, etc.) and proxy all the needed sources, no? Then your settings.xml is always constant, pointing at your master Nexus, which groups all your needed repositories. Your build is reproducible and remains resilient to otherwise disruptive remote repository changes -- as long as your master Nexus does not change.


On Tue, Oct 18, 2016 at 8:03 AM, Mark H. Wood <mw...@iupui.edu> wrote:

> On Mon, Oct 17, 2016 at 08:03:03PM +0000, KARR, DAVID wrote:
> > One thing I run into when jumping between different projects is
> different expectations for what maven repos I need to be using.  In 
> the past, I had to have multiple copies of "~/.m2/settings.xml" lying 
> around, and I would hack the specified repos when I needed to.
>
> I'm trying, without success, to imagine why you do not simply 
> accumulate <server> elements as required.  Before long you should 
> reach a state in which new additions are extremely rare.
>
> --
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> www.ulib.iupui.edu
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Comparing specifying repositories in pom vs. settings.xml?

[Benson Margulies <bi...@gmail.com>]

Our experience is that the not-central repos aren't reliable over the
medium term. So, if we can't get it to go to central, we copy it into
our own copy of Nexus. This is, of course, not a helpful strategy for
anything that has to be maintained 'out in the open'.

On Wed, Oct 19, 2016 at 11:16 AM, KARR, DAVID <dk...@att.com> wrote:
>> -----Original Message-----
>> From: Mark H. Wood [mailto:mwood@IUPUI.Edu]
>> Sent: Wednesday, October 19, 2016 5:55 AM
>> To: users@maven.apache.org
>> Subject: Re: Comparing specifying repositories in pom vs. settings.xml?
>>
>> OK, I'm going to learn a lot from this thread.
>>
>> On Tue, Oct 18, 2016 at 06:57:42AM -0700, Robert Patrick wrote:
>> > But in a large corporate environment, the centralized repository
>> manager can house hundreds/thousands of repositories so unless you want
>> to virtualize the entire set of repositories (which tends to make the
>> repository manager slower), you still need to specify the repositories
>> to search, right?
>>
>> We have a local Nexus instance, and besides a mirror of Central and a
>> couple of others, there are just two non-mirror repositories:
>> local-snapshots and local-releases.  Why would you have more than these?
>
> Our "Nexus instance" maintains artifacts for a very large number of projects, most of which are managed by different teams that prefer, and often require (by NDA, et cetera), to keep their artifacts separate from the artifacts from other projects.  It's not unusual for some people to work on different sets of projects, requiring different sets of repositories.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

RE: Comparing specifying repositories in pom vs. settings.xml?

["KARR, DAVID" <dk...@att.com>]

> -----Original Message-----
> From: Mark H. Wood [mailto:mwood@IUPUI.Edu]
> Sent: Wednesday, October 19, 2016 5:55 AM
> To: users@maven.apache.org
> Subject: Re: Comparing specifying repositories in pom vs. settings.xml?
> 
> OK, I'm going to learn a lot from this thread.
> 
> On Tue, Oct 18, 2016 at 06:57:42AM -0700, Robert Patrick wrote:
> > But in a large corporate environment, the centralized repository
> manager can house hundreds/thousands of repositories so unless you want
> to virtualize the entire set of repositories (which tends to make the
> repository manager slower), you still need to specify the repositories
> to search, right?
> 
> We have a local Nexus instance, and besides a mirror of Central and a
> couple of others, there are just two non-mirror repositories:
> local-snapshots and local-releases.  Why would you have more than these?

Our "Nexus instance" maintains artifacts for a very large number of projects, most of which are managed by different teams that prefer, and often require (by NDA, et cetera), to keep their artifacts separate from the artifacts from other projects.  It's not unusual for some people to work on different sets of projects, requiring different sets of repositories.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Comparing specifying repositories in pom vs. settings.xml?

["Mark H. Wood" <mw...@IUPUI.Edu>]

OK, I'm going to learn a lot from this thread.

On Tue, Oct 18, 2016 at 06:57:42AM -0700, Robert Patrick wrote:
> But in a large corporate environment, the centralized repository manager can house hundreds/thousands of repositories so unless you want to virtualize the entire set of repositories (which tends to make the repository manager slower), you still need to specify the repositories to search, right? 

We have a local Nexus instance, and besides a mirror of Central and a
couple of others, there are just two non-mirror repositories:
local-snapshots and local-releases.  Why would you have more than these?

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

RE: Comparing specifying repositories in pom vs. settings.xml?

[Robert Patrick <ro...@oracle.com>]

But in a large corporate environment, the centralized repository manager can house hundreds/thousands of repositories so unless you want to virtualize the entire set of repositories (which tends to make the repository manager slower), you still need to specify the repositories to search, right? 


-----Original Message-----
From: Curtis Rueden [mailto:ctrueden@wisc.edu] 
Sent: Tuesday, October 18, 2016 8:14 AM
To: Maven Users List
Subject: Re: Comparing specifying repositories in pom vs. settings.xml?

> I'm trying, without success, to imagine why you do not simply 
> accumulate <server> elements as required.

Wouldn't that cause Maven to ping every server sequentially for every needed artifact?

Better to set up a Maven repository manager (Nexus, Artifactory, etc.) and proxy all the needed sources, no? Then your settings.xml is always constant, pointing at your master Nexus, which groups all your needed repositories. Your build is reproducible and remains resilient to otherwise disruptive remote repository changes -- as long as your master Nexus does not change.


On Tue, Oct 18, 2016 at 8:03 AM, Mark H. Wood <mw...@iupui.edu> wrote:

> On Mon, Oct 17, 2016 at 08:03:03PM +0000, KARR, DAVID wrote:
> > One thing I run into when jumping between different projects is
> different expectations for what maven repos I need to be using.  In 
> the past, I had to have multiple copies of "~/.m2/settings.xml" lying 
> around, and I would hack the specified repos when I needed to.
>
> I'm trying, without success, to imagine why you do not simply 
> accumulate <server> elements as required.  Before long you should 
> reach a state in which new additions are extremely rare.
>
> --
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> www.ulib.iupui.edu
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Comparing specifying repositories in pom vs. settings.xml?

[Curtis Rueden <ct...@wisc.edu>]

> I'm trying, without success, to imagine why you do not simply
> accumulate <server> elements as required.

Wouldn't that cause Maven to ping every server sequentially for every
needed artifact?

Better to set up a Maven repository manager (Nexus, Artifactory, etc.) and
proxy all the needed sources, no? Then your settings.xml is always
constant, pointing at your master Nexus, which groups all your needed
repositories. Your build is reproducible and remains resilient to otherwise
disruptive remote repository changes -- as long as your master Nexus does
not change.


On Tue, Oct 18, 2016 at 8:03 AM, Mark H. Wood <mw...@iupui.edu> wrote:

> On Mon, Oct 17, 2016 at 08:03:03PM +0000, KARR, DAVID wrote:
> > One thing I run into when jumping between different projects is
> different expectations for what maven repos I need to be using.  In the
> past, I had to have multiple copies of "~/.m2/settings.xml" lying around,
> and I would hack the specified repos when I needed to.
>
> I'm trying, without success, to imagine why you do not simply
> accumulate <server> elements as required.  Before long you should reach
> a state in which new additions are extremely rare.
>
> --
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> www.ulib.iupui.edu
>

Re: Comparing specifying repositories in pom vs. settings.xml?

["Mark H. Wood" <mw...@IUPUI.Edu>]

On Mon, Oct 17, 2016 at 08:03:03PM +0000, KARR, DAVID wrote:
> One thing I run into when jumping between different projects is different expectations for what maven repos I need to be using.  In the past, I had to have multiple copies of "~/.m2/settings.xml" lying around, and I would hack the specified repos when I needed to.

I'm trying, without success, to imagine why you do not simply
accumulate <server> elements as required.  Before long you should reach
a state in which new additions are extremely rare.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

Re: Comparing specifying repositories in pom vs. settings.xml?

[Martin Hoeller <ma...@xss.co.at>]

On 17 Okt 2016, Manfred Moser wrote:

> If you really feel you need to control the source of where you download components from within the source control system 
> I would still NOT use the repositories definition in the POM since that is them transferred to the target repo on deployment (unless you use flatten).
> 
> Instead I would check in a specific settings.xml as part of the project... or even multiple ones for different build scenarios.. 

You could even use the .mvn/ folder with a maven.config file in it, so
use this specific settings.xml without any other setup. See
https://maven.apache.org/docs/3.3.1/release-notes.html#JVM_and_Command_Line_Options
for details.

hth,
- martin

AW: Comparing specifying repositories in pom vs. settings.xml?

[ec...@zusammenkunft.net]

Hello,

For ensuring that artifacts not go away (like recently some older JBoss public repos) for enforcing licensing and security restrictions, for caching the internet, and of course for having a single aggregated repository view we run a single company server (with a filtered central and other repos mirror). Then this is the only repo configured. (We do that in the Parent for most internal projects but it js much better to set that up in settings.xml). 

Btw, We also used to use this server for exchanging snapshots, however the use of them between different people and builds have been greatly reduced lately with focusing on release builds.

I think you cant run a reliable and repeatable software production without.

Gruss
Bernd
-- 
http://bernd.eckenfels.net
From Win 10 Mobile

Von: Tamás Cservenák
Gesendet: Dienstag, 18. Oktober 2016 09:17
An: Maven Users List
Betreff: Re: Comparing specifying repositories in pom vs. settings.xml?

"The best way is to sync your stuff to the Central Repository" -- true,

but again, there are cases where this is _not possible_. What then? I feel
we keep repeating this mantra, but leaving out some cornerstones...

On Tue, Oct 18, 2016 at 12:04 AM Manfred Moser <ma...@simpligility.com>
wrote:

> The best way is to sync your stuff to the Central Repository imho.
>
> Otherwise you are probably best off with using repositories in the POM or
> a checked in settings file and build.sh reference command build like mvn -s
> ...
>
> manfred
>
> Curtis Rueden wrote on 2016-10-17 15:00:
>
> > Hi everyone,
> >
> > I have an OSS project with "mixed" dependencies—some in central, and some
> > in our public Maven repo (because they are still in incubation or
> > beta). Every time this discussion arises, I find myself wondering the
> same
> > thing: how can you achieve an "out-of-the-box" build for such a project,
> > without specifying <repositories>? All the alternatives I see people
> > suggest (e.g., checking in settings.xml to the repository) would require
> > each and every new developer to perform some one-time bootstrap before
> the
> > project will build. This will turn away many new & inexperienced
> developers
> > if they try to import the project into their favorite IDE and it fails to
> > build.
> >
> > Regards,
> > Curtis
> >
> > --
> > Curtis Rueden
> > LOCI software architect - http://loci.wisc.edu/software
> > ImageJ2 lead, Fiji maintainer - http://imagej.net/User:Rueden
> >
> >
> > On Mon, Oct 17, 2016 at 4:48 PM, Manfred Moser <manfred@simpligility.com
> >
> > wrote:
> >
> >> If you really feel you need to control the source of where you download
> >> components from within the source control system
> >> I would still NOT use the repositories definition in the POM since that
> is
> >> them transferred to the target repo on deployment (unless you use
> flatten).
> >>
> >> Instead I would check in a specific settings.xml as part of the
> project...
> >> or even multiple ones for different build scenarios..
> >>
> >> Manfred
> >>
> >> KARR, DAVID wrote on 2016-10-17 14:42:
> >>
> >> >> -----Original Message-----
> >> >> From: Manfred Moser [mailto:manfred@simpligility.com]
> >> >> Sent: Monday, October 17, 2016 1:35 PM
> >> >> To: users@maven.apache.org
> >> >> Subject: Re: Comparing specifying repositories in pom vs.
> settings.xml?
> >> >>
> >> >>
> http://blog.sonatype.com/2009/02/why-putting-repositories-in-your-poms-
> >> >> is-a-bad-idea/
> >> >
> >> > The point about open-source projects is well-taken.  I would never
> >> specify
> >> > repositories in a POM for a public project.
> >> >
> >> > The section about "Enterprise" just seems odd to me.  It seems very
> >> focused on
> >> > "central", when that might not be the case at all.  We use many
> >> open-source
> >> > projects, but those aren't very volatile.  We use dozens of internal
> >> artifacts,
> >> > and there isn't a lot of doubt about what repos to get particular
> kinds
> >> of
> >> > artifacts from.  I find build repeatability more important (specifying
> >> all
> >> > requirements in the build script).  The requirement about "generally
> >> will want
> >> > all your developers using the same set of repositories" is pretty
> >> important to
> >> > me, but the recommended solution just seems counterproductive.
> >> Specifying it
> >> > in the POM for the project seems to be the most direct way to ensure
> >> that.
> >> >
> >> >> KARR, DAVID wrote on 2016-10-17 13:03:
> >> >>
> >> >> > One thing I run into when jumping between different projects is
> >> >> > different expectations for what maven repos I need to be using.  In
> >> >> > the past, I had to have multiple copies of "~/.m2/settings.xml"
> lying
> >> >> > around, and I would hack the specified repos when I needed to.
> >> >> >
> >> >> > Recently, I saw a situation where the required repositories were
> >> >> > simply defined in the top-level pom for the project.  If this is
> done
> >> >> > consistently, there's no longer any need to hack the settings.xml
> >> >> file.
> >> >> >
> >> >> > I seem to remember seeing some advice that specifying repositories
> in
> >> >> > the POM is a bad practice.  If I'm remembering this correctly, this
> >> >> > seems odd.  Forcing the correct repos to be defined in the
> >> >> > settings.xml works against "repeatable builds".
> >> >> >
> >> >> > What is the recommended advice here?
> >> >> >
> >> >> >
> ---------------------------------------------------------------------
> >> >> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> >> > For additional commands, e-mail: users-help@maven.apache.org
> >> >> >
> >> >>
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> >> For additional commands, e-mail: users-help@maven.apache.org
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> > For additional commands, e-mail: users-help@maven.apache.org
> >> >
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: users-help@maven.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

Re: Comparing specifying repositories in pom vs. settings.xml?

[Tamás Cservenák <ta...@cservenak.net>]

"The best way is to sync your stuff to the Central Repository" -- true,

but again, there are cases where this is _not possible_. What then? I feel
we keep repeating this mantra, but leaving out some cornerstones...

On Tue, Oct 18, 2016 at 12:04 AM Manfred Moser <ma...@simpligility.com>
wrote:

> The best way is to sync your stuff to the Central Repository imho.
>
> Otherwise you are probably best off with using repositories in the POM or
> a checked in settings file and build.sh reference command build like mvn -s
> ...
>
> manfred
>
> Curtis Rueden wrote on 2016-10-17 15:00:
>
> > Hi everyone,
> >
> > I have an OSS project with "mixed" dependencies—some in central, and some
> > in our public Maven repo (because they are still in incubation or
> > beta). Every time this discussion arises, I find myself wondering the
> same
> > thing: how can you achieve an "out-of-the-box" build for such a project,
> > without specifying <repositories>? All the alternatives I see people
> > suggest (e.g., checking in settings.xml to the repository) would require
> > each and every new developer to perform some one-time bootstrap before
> the
> > project will build. This will turn away many new & inexperienced
> developers
> > if they try to import the project into their favorite IDE and it fails to
> > build.
> >
> > Regards,
> > Curtis
> >
> > --
> > Curtis Rueden
> > LOCI software architect - http://loci.wisc.edu/software
> > ImageJ2 lead, Fiji maintainer - http://imagej.net/User:Rueden
> >
> >
> > On Mon, Oct 17, 2016 at 4:48 PM, Manfred Moser <manfred@simpligility.com
> >
> > wrote:
> >
> >> If you really feel you need to control the source of where you download
> >> components from within the source control system
> >> I would still NOT use the repositories definition in the POM since that
> is
> >> them transferred to the target repo on deployment (unless you use
> flatten).
> >>
> >> Instead I would check in a specific settings.xml as part of the
> project...
> >> or even multiple ones for different build scenarios..
> >>
> >> Manfred
> >>
> >> KARR, DAVID wrote on 2016-10-17 14:42:
> >>
> >> >> -----Original Message-----
> >> >> From: Manfred Moser [mailto:manfred@simpligility.com]
> >> >> Sent: Monday, October 17, 2016 1:35 PM
> >> >> To: users@maven.apache.org
> >> >> Subject: Re: Comparing specifying repositories in pom vs.
> settings.xml?
> >> >>
> >> >>
> http://blog.sonatype.com/2009/02/why-putting-repositories-in-your-poms-
> >> >> is-a-bad-idea/
> >> >
> >> > The point about open-source projects is well-taken.  I would never
> >> specify
> >> > repositories in a POM for a public project.
> >> >
> >> > The section about "Enterprise" just seems odd to me.  It seems very
> >> focused on
> >> > "central", when that might not be the case at all.  We use many
> >> open-source
> >> > projects, but those aren't very volatile.  We use dozens of internal
> >> artifacts,
> >> > and there isn't a lot of doubt about what repos to get particular
> kinds
> >> of
> >> > artifacts from.  I find build repeatability more important (specifying
> >> all
> >> > requirements in the build script).  The requirement about "generally
> >> will want
> >> > all your developers using the same set of repositories" is pretty
> >> important to
> >> > me, but the recommended solution just seems counterproductive.
> >> Specifying it
> >> > in the POM for the project seems to be the most direct way to ensure
> >> that.
> >> >
> >> >> KARR, DAVID wrote on 2016-10-17 13:03:
> >> >>
> >> >> > One thing I run into when jumping between different projects is
> >> >> > different expectations for what maven repos I need to be using.  In
> >> >> > the past, I had to have multiple copies of "~/.m2/settings.xml"
> lying
> >> >> > around, and I would hack the specified repos when I needed to.
> >> >> >
> >> >> > Recently, I saw a situation where the required repositories were
> >> >> > simply defined in the top-level pom for the project.  If this is
> done
> >> >> > consistently, there's no longer any need to hack the settings.xml
> >> >> file.
> >> >> >
> >> >> > I seem to remember seeing some advice that specifying repositories
> in
> >> >> > the POM is a bad practice.  If I'm remembering this correctly, this
> >> >> > seems odd.  Forcing the correct repos to be defined in the
> >> >> > settings.xml works against "repeatable builds".
> >> >> >
> >> >> > What is the recommended advice here?
> >> >> >
> >> >> >
> ---------------------------------------------------------------------
> >> >> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> >> > For additional commands, e-mail: users-help@maven.apache.org
> >> >> >
> >> >>
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> >> For additional commands, e-mail: users-help@maven.apache.org
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> > For additional commands, e-mail: users-help@maven.apache.org
> >> >
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: users-help@maven.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

Re: Comparing specifying repositories in pom vs. settings.xml?

[Manfred Moser <ma...@simpligility.com>]

The best way is to sync your stuff to the Central Repository imho. 

Otherwise you are probably best off with using repositories in the POM or a checked in settings file and build.sh reference command build like mvn -s ... 

manfred

Curtis Rueden wrote on 2016-10-17 15:00:

> Hi everyone,
> 
> I have an OSS project with "mixed" dependencies\u2014some in central, and some
> in our public Maven repo (because they are still in incubation or
> beta). Every time this discussion arises, I find myself wondering the same
> thing: how can you achieve an "out-of-the-box" build for such a project,
> without specifying <repositories>? All the alternatives I see people
> suggest (e.g., checking in settings.xml to the repository) would require
> each and every new developer to perform some one-time bootstrap before the
> project will build. This will turn away many new & inexperienced developers
> if they try to import the project into their favorite IDE and it fails to
> build.
> 
> Regards,
> Curtis
> 
> --
> Curtis Rueden
> LOCI software architect - http://loci.wisc.edu/software
> ImageJ2 lead, Fiji maintainer - http://imagej.net/User:Rueden
> 
> 
> On Mon, Oct 17, 2016 at 4:48 PM, Manfred Moser <ma...@simpligility.com>
> wrote:
> 
>> If you really feel you need to control the source of where you download
>> components from within the source control system
>> I would still NOT use the repositories definition in the POM since that is
>> them transferred to the target repo on deployment (unless you use flatten).
>>
>> Instead I would check in a specific settings.xml as part of the project...
>> or even multiple ones for different build scenarios..
>>
>> Manfred
>>
>> KARR, DAVID wrote on 2016-10-17 14:42:
>>
>> >> -----Original Message-----
>> >> From: Manfred Moser [mailto:manfred@simpligility.com]
>> >> Sent: Monday, October 17, 2016 1:35 PM
>> >> To: users@maven.apache.org
>> >> Subject: Re: Comparing specifying repositories in pom vs. settings.xml?
>> >>
>> >> http://blog.sonatype.com/2009/02/why-putting-repositories-in-your-poms-
>> >> is-a-bad-idea/
>> >
>> > The point about open-source projects is well-taken.  I would never
>> specify
>> > repositories in a POM for a public project.
>> >
>> > The section about "Enterprise" just seems odd to me.  It seems very
>> focused on
>> > "central", when that might not be the case at all.  We use many
>> open-source
>> > projects, but those aren't very volatile.  We use dozens of internal
>> artifacts,
>> > and there isn't a lot of doubt about what repos to get particular kinds
>> of
>> > artifacts from.  I find build repeatability more important (specifying
>> all
>> > requirements in the build script).  The requirement about "generally
>> will want
>> > all your developers using the same set of repositories" is pretty
>> important to
>> > me, but the recommended solution just seems counterproductive.
>> Specifying it
>> > in the POM for the project seems to be the most direct way to ensure
>> that.
>> >
>> >> KARR, DAVID wrote on 2016-10-17 13:03:
>> >>
>> >> > One thing I run into when jumping between different projects is
>> >> > different expectations for what maven repos I need to be using.  In
>> >> > the past, I had to have multiple copies of "~/.m2/settings.xml" lying
>> >> > around, and I would hack the specified repos when I needed to.
>> >> >
>> >> > Recently, I saw a situation where the required repositories were
>> >> > simply defined in the top-level pom for the project.  If this is done
>> >> > consistently, there's no longer any need to hack the settings.xml
>> >> file.
>> >> >
>> >> > I seem to remember seeing some advice that specifying repositories in
>> >> > the POM is a bad practice.  If I'm remembering this correctly, this
>> >> > seems odd.  Forcing the correct repos to be defined in the
>> >> > settings.xml works against "repeatable builds".
>> >> >
>> >> > What is the recommended advice here?
>> >> >
>> >> > ---------------------------------------------------------------------
>> >> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> >> > For additional commands, e-mail: users-help@maven.apache.org
>> >> >
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> >> For additional commands, e-mail: users-help@maven.apache.org
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> > For additional commands, e-mail: users-help@maven.apache.org
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Comparing specifying repositories in pom vs. settings.xml?

[Curtis Rueden <ct...@wisc.edu>]

Hi everyone,

I have an OSS project with "mixed" dependencies—some in central, and some
in our public Maven repo (because they are still in incubation or
beta). Every time this discussion arises, I find myself wondering the same
thing: how can you achieve an "out-of-the-box" build for such a project,
without specifying <repositories>? All the alternatives I see people
suggest (e.g., checking in settings.xml to the repository) would require
each and every new developer to perform some one-time bootstrap before the
project will build. This will turn away many new & inexperienced developers
if they try to import the project into their favorite IDE and it fails to
build.

Regards,
Curtis

--
Curtis Rueden
LOCI software architect - http://loci.wisc.edu/software
ImageJ2 lead, Fiji maintainer - http://imagej.net/User:Rueden


On Mon, Oct 17, 2016 at 4:48 PM, Manfred Moser <ma...@simpligility.com>
wrote:

> If you really feel you need to control the source of where you download
> components from within the source control system
> I would still NOT use the repositories definition in the POM since that is
> them transferred to the target repo on deployment (unless you use flatten).
>
> Instead I would check in a specific settings.xml as part of the project...
> or even multiple ones for different build scenarios..
>
> Manfred
>
> KARR, DAVID wrote on 2016-10-17 14:42:
>
> >> -----Original Message-----
> >> From: Manfred Moser [mailto:manfred@simpligility.com]
> >> Sent: Monday, October 17, 2016 1:35 PM
> >> To: users@maven.apache.org
> >> Subject: Re: Comparing specifying repositories in pom vs. settings.xml?
> >>
> >> http://blog.sonatype.com/2009/02/why-putting-repositories-in-your-poms-
> >> is-a-bad-idea/
> >
> > The point about open-source projects is well-taken.  I would never
> specify
> > repositories in a POM for a public project.
> >
> > The section about "Enterprise" just seems odd to me.  It seems very
> focused on
> > "central", when that might not be the case at all.  We use many
> open-source
> > projects, but those aren't very volatile.  We use dozens of internal
> artifacts,
> > and there isn't a lot of doubt about what repos to get particular kinds
> of
> > artifacts from.  I find build repeatability more important (specifying
> all
> > requirements in the build script).  The requirement about "generally
> will want
> > all your developers using the same set of repositories" is pretty
> important to
> > me, but the recommended solution just seems counterproductive.
> Specifying it
> > in the POM for the project seems to be the most direct way to ensure
> that.
> >
> >> KARR, DAVID wrote on 2016-10-17 13:03:
> >>
> >> > One thing I run into when jumping between different projects is
> >> > different expectations for what maven repos I need to be using.  In
> >> > the past, I had to have multiple copies of "~/.m2/settings.xml" lying
> >> > around, and I would hack the specified repos when I needed to.
> >> >
> >> > Recently, I saw a situation where the required repositories were
> >> > simply defined in the top-level pom for the project.  If this is done
> >> > consistently, there's no longer any need to hack the settings.xml
> >> file.
> >> >
> >> > I seem to remember seeing some advice that specifying repositories in
> >> > the POM is a bad practice.  If I'm remembering this correctly, this
> >> > seems odd.  Forcing the correct repos to be defined in the
> >> > settings.xml works against "repeatable builds".
> >> >
> >> > What is the recommended advice here?
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> > For additional commands, e-mail: users-help@maven.apache.org
> >> >
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: users-help@maven.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> > For additional commands, e-mail: users-help@maven.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

Re: Comparing specifying repositories in pom vs. settings.xml?

[Manfred Moser <ma...@simpligility.com>]

If you really feel you need to control the source of where you download components from within the source control system 
I would still NOT use the repositories definition in the POM since that is them transferred to the target repo on deployment (unless you use flatten).

Instead I would check in a specific settings.xml as part of the project... or even multiple ones for different build scenarios.. 

Manfred

KARR, DAVID wrote on 2016-10-17 14:42:

>> -----Original Message-----
>> From: Manfred Moser [mailto:manfred@simpligility.com]
>> Sent: Monday, October 17, 2016 1:35 PM
>> To: users@maven.apache.org
>> Subject: Re: Comparing specifying repositories in pom vs. settings.xml?
>> 
>> http://blog.sonatype.com/2009/02/why-putting-repositories-in-your-poms-
>> is-a-bad-idea/
> 
> The point about open-source projects is well-taken.  I would never specify
> repositories in a POM for a public project.
> 
> The section about "Enterprise" just seems odd to me.  It seems very focused on
> "central", when that might not be the case at all.  We use many open-source
> projects, but those aren't very volatile.  We use dozens of internal artifacts,
> and there isn't a lot of doubt about what repos to get particular kinds of
> artifacts from.  I find build repeatability more important (specifying all
> requirements in the build script).  The requirement about "generally will want
> all your developers using the same set of repositories" is pretty important to
> me, but the recommended solution just seems counterproductive.  Specifying it
> in the POM for the project seems to be the most direct way to ensure that.
> 
>> KARR, DAVID wrote on 2016-10-17 13:03:
>> 
>> > One thing I run into when jumping between different projects is
>> > different expectations for what maven repos I need to be using.  In
>> > the past, I had to have multiple copies of "~/.m2/settings.xml" lying
>> > around, and I would hack the specified repos when I needed to.
>> >
>> > Recently, I saw a situation where the required repositories were
>> > simply defined in the top-level pom for the project.  If this is done
>> > consistently, there's no longer any need to hack the settings.xml
>> file.
>> >
>> > I seem to remember seeing some advice that specifying repositories in
>> > the POM is a bad practice.  If I'm remembering this correctly, this
>> > seems odd.  Forcing the correct repos to be defined in the
>> > settings.xml works against "repeatable builds".
>> >
>> > What is the recommended advice here?
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> > For additional commands, e-mail: users-help@maven.apache.org
>> >
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

RE: Comparing specifying repositories in pom vs. settings.xml?

["KARR, DAVID" <dk...@att.com>]

> -----Original Message-----
> From: Manfred Moser [mailto:manfred@simpligility.com]
> Sent: Monday, October 17, 2016 1:35 PM
> To: users@maven.apache.org
> Subject: Re: Comparing specifying repositories in pom vs. settings.xml?
> 
> http://blog.sonatype.com/2009/02/why-putting-repositories-in-your-poms-
> is-a-bad-idea/

The point about open-source projects is well-taken.  I would never specify repositories in a POM for a public project.

The section about "Enterprise" just seems odd to me.  It seems very focused on "central", when that might not be the case at all.  We use many open-source projects, but those aren't very volatile.  We use dozens of internal artifacts, and there isn't a lot of doubt about what repos to get particular kinds of artifacts from.  I find build repeatability more important (specifying all requirements in the build script).  The requirement about "generally will want all your developers using the same set of repositories" is pretty important to me, but the recommended solution just seems counterproductive.  Specifying it in the POM for the project seems to be the most direct way to ensure that.
 
> KARR, DAVID wrote on 2016-10-17 13:03:
> 
> > One thing I run into when jumping between different projects is
> > different expectations for what maven repos I need to be using.  In
> > the past, I had to have multiple copies of "~/.m2/settings.xml" lying
> > around, and I would hack the specified repos when I needed to.
> >
> > Recently, I saw a situation where the required repositories were
> > simply defined in the top-level pom for the project.  If this is done
> > consistently, there's no longer any need to hack the settings.xml
> file.
> >
> > I seem to remember seeing some advice that specifying repositories in
> > the POM is a bad practice.  If I'm remembering this correctly, this
> > seems odd.  Forcing the correct repos to be defined in the
> > settings.xml works against "repeatable builds".
> >
> > What is the recommended advice here?
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> > For additional commands, e-mail: users-help@maven.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Comparing specifying repositories in pom vs. settings.xml?

[Manfred Moser <ma...@simpligility.com>]

http://blog.sonatype.com/2009/02/why-putting-repositories-in-your-poms-is-a-bad-idea/

KARR, DAVID wrote on 2016-10-17 13:03:

> One thing I run into when jumping between different projects is different
> expectations for what maven repos I need to be using.  In the past, I had to
> have multiple copies of "~/.m2/settings.xml" lying around, and I would hack the
> specified repos when I needed to.
> 
> Recently, I saw a situation where the required repositories were simply defined
> in the top-level pom for the project.  If this is done consistently, there's no
> longer any need to hack the settings.xml file.
> 
> I seem to remember seeing some advice that specifying repositories in the POM
> is a bad practice.  If I'm remembering this correctly, this seems odd.  Forcing
> the correct repos to be defined in the settings.xml works against "repeatable
> builds".
> 
> What is the recommended advice here?
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org