You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Mark Raynsford <or...@io7m.com> on 2017/08/15 10:06:13 UTC
Auditing version ranges
Hello.
I've recently been considering moving to byte-for-byte reproducible
builds of my software packages. It seems fairly easy to get there via
plugins such as the reproducible-build-maven-plugin [0] as long as the
build isn't otherwise unreproducible, but one thing that I am unsure of
is whether or not it's possible to detect and fail the build if a
(transitive) dependency is using version ranges.
For example, if I declare a dependency on a package P and P declares a
dependency on Q using a version range, then my build is effectively
nondetermimistic (because a new version of Q may appear at any time).
As a consumer of P, I may be totally unaware of Q and therefore won't
know to override the versions of Q in my own dependencyManagement
section.
Is there a plugin that can reject the use of version ranges anywhere in
the transitive dependency tree?
I'm currently using scijava's plugin to reject snapshot versions [1],
and am using the dependency plugin to fail builds with undeclared
dependencies.
[0] https://github.com/Zlika/reproducible-build-maven-plugin
[1] https://github.com/scijava/scijava-maven-plugin
--
Mark Raynsford | http://www.io7m.com
Re: Auditing version ranges
Posted by Mark Raynsford <or...@io7m.com>.
On 2017-08-15T13:23:17 +0000
Thomas Broyer <t....@gmail.com> wrote:
> Maven Enforcer Plugin's Require Upper Bound Dependencies might be enough
> for your use-case (also notice there's a Require Release Dependencies rule
> to prohibit snapshot dependencies)
> http://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html
Thanks, didn't see that one. I'll give it a shot.
--
Mark Raynsford | http://www.io7m.com
Re: Auditing version ranges
Posted by Thomas Broyer <t....@gmail.com>.
Maven Enforcer Plugin's Require Upper Bound Dependencies might be enough
for your use-case (also notice there's a Require Release Dependencies rule
to prohibit snapshot dependencies)
http://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html
Le mar. 15 août 2017 12:06, Mark Raynsford <or...@io7m.com>
a écrit :
> Hello.
>
> I've recently been considering moving to byte-for-byte reproducible
> builds of my software packages. It seems fairly easy to get there via
> plugins such as the reproducible-build-maven-plugin [0] as long as the
> build isn't otherwise unreproducible, but one thing that I am unsure of
> is whether or not it's possible to detect and fail the build if a
> (transitive) dependency is using version ranges.
>
> For example, if I declare a dependency on a package P and P declares a
> dependency on Q using a version range, then my build is effectively
> nondetermimistic (because a new version of Q may appear at any time).
> As a consumer of P, I may be totally unaware of Q and therefore won't
> know to override the versions of Q in my own dependencyManagement
> section.
>
> Is there a plugin that can reject the use of version ranges anywhere in
> the transitive dependency tree?
>
> I'm currently using scijava's plugin to reject snapshot versions [1],
> and am using the dependency plugin to fail builds with undeclared
> dependencies.
>
> [0] https://github.com/Zlika/reproducible-build-maven-plugin
> [1] https://github.com/scijava/scijava-maven-plugin
>
> --
> Mark Raynsford | http://www.io7m.com
>