You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Niels Basjes (Jira)" <ji...@apache.org> on 2023/02/19 14:47:00 UTC
[jira] [Commented] (MARTIFACT-44) Handling the dependency-reduced-pom.xml
[ https://issues.apache.org/jira/browse/MARTIFACT-44?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690906#comment-17690906 ]
Niels Basjes commented on MARTIFACT-44:
---------------------------------------
In the error case mentioned above I did this:
{code}
$ cd analyzer/target/
$ unzip yauaa-7.13.1-SNAPSHOT.jar META-INF/maven/nl.basjes.parse.useragent/yauaa/pom.xml
Archive: yauaa-7.13.1-SNAPSHOT.jar
inflating: META-INF/maven/nl.basjes.parse.useragent/yauaa/pom.xml
$ md5sum reference/yauaa-7.13.1-SNAPSHOT.pom META-INF/maven/nl.basjes.parse.useragent/yauaa/pom.xml
94c3ce5e86be6af86bb83beaf95e6706 reference/yauaa-7.13.1-SNAPSHOT.pom
94c3ce5e86be6af86bb83beaf95e6706 META-INF/maven/nl.basjes.parse.useragent/yauaa/pom.xml
{code}
So clearly the build is reproducible if you look at the pom.xml which is put in the jar file.
> Handling the dependency-reduced-pom.xml
> ---------------------------------------
>
> Key: MARTIFACT-44
> URL: https://issues.apache.org/jira/browse/MARTIFACT-44
> Project: Maven Artifact Plugin
> Issue Type: Bug
> Reporter: Niels Basjes
> Priority: Major
>
> In my projects I often use the *maven-shade-plugin* to include specific dependencies in the final jar.
> I do this to avoid version conflicts in dependencies that are very version sensitive like the Antlr4 runtime ( See [https://yauaa.basjes.nl/developer/shadingdependencies/] ).
> So in practice I use the following shading options
> * relocate: to different package name
> * minimizeJar: to only keep what is needed
> * *useDependencyReducedPomInJar* : to make sure that down stream applications do not include the original dependencies anymore that have already been included. https://maven.apache.org/plugins/maven-shade-plugin/shade-mojo.html#useDependencyReducedPomInJar
> An important note about the useDependencyReducedPomInJar is that the actual *pom.xml* that is placed in the jar file has been generated during the build and is thus very different from the *pom.xml* file that is part of the source code.
> When I now run the *compare* goal of this artifact plugin I get this:
> {code:java}
> [ERROR] size mismatch yauaa-7.13.1-SNAPSHOT.pom: investigate with diffoscope analyzer/target/reference/yauaa-7.13.1-SNAPSHOT.pom analyzer/pom.xml {code}
> To me this looks like the goal is comparing the pom of the published jar (generated file; without the shaded dependencies) with the source file (with the shaded dependencies).
> If I do this
> {code:java}
> $ diffoscope analyzer/target/reference/yauaa-7.13.1-SNAPSHOT.pom analyzer/dependency-reduced-pom.xml {code}
> They are equal.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)