Modifying classifiers of transitive dependencies

[Mansour Al Akeel <ma...@gmail.com>]

We have a large number of legacy dependencies that we need to sign. I am
trying to cache those that are not signed into an internal repository to
reduce build time.

So I created another project to sign them and load them into our private
repository. I am using a classifier to indicate the signed ones. For
example, <classifier>signed</classifier>. Those are pulled properly.
However, those dependencies have many transitive dependencies that are
signed as well, but not pulled. The reason is because in the original pom,
they point to the unsigned ones.

What is the best (maven) way to resolve this? I can simply ignore the
classifier part I guess as a simple solution.

I will appreciate a better approach.

Re: Modifying classifiers of transitive dependencies

[Jörg Schaible <jo...@gmx.de.INVALID>]

On Wednesday, 31. January 2024, 16:34:22 CET Mansour Al Akeel wrote:
> We have a large number of legacy dependencies that we need to sign. I am
> trying to cache those that are not signed into an internal repository to
> reduce build time.
> 
> So I created another project to sign them and load them into our private
> repository. I am using a classifier to indicate the signed ones. For
> example, <classifier>signed</classifier>. Those are pulled properly.
> However, those dependencies have many transitive dependencies that are
> signed as well, but not pulled. The reason is because in the original pom,
> they point to the unsigned ones.
> 
> What is the best (maven) way to resolve this? I can simply ignore the
> classifier part I guess as a simple solution.
> 
> I will appreciate a better approach.

Using the classifier is a really bad choice, since it is used for all kind of 
supplemental artifacts, like source, javadoc, etc. and it will spoil 
completely any kind of transitive dependency management.

You may instead use own versions, just append "-signed" to it. While you have 
now still the old version in the poms, you can have yourself common a parent 
pom that declares all required dependencies in a dependencyManagement section. 
Here you can also overwrite the version to use (the one with the postfix) for 
each dependency transitively. Now you can declare in your projects still the 
directly required dependencies and you will nevertheless get anything that is 
required transitively. And you will immediately see, if something unsigned is 
used looking at the dependency tree.

Downside is, that you will always have to monitor, what other/new transitive 
dependencies are used, when you want to update one of your directly used ones. 
But with your signing you will have to do this anyway.

As best practice: Declare the versions with properties and do never declare 
directly any version the dependencies of a local pom, just omit the version 
element completely. As benefit you're able to overwrite any version from 
command line using that property.

You may even have a profile to build anything with unsigned dependencies. Just 
declare the postfix itself as property that can be overwritten e.g. using a 
profile:

 <profiles>
   <profile>
     <id>unsigned<id>
     <properties>
       <version.postfix/>
     </properties>
   </profile>
 </profiles>

 <properties>
   <version.postfix>-signed</version.postfix>
   <version.commons-lang>2-6${version.postfix}</version.commons-lang>
 </properties>

Regards,
Jörg





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org