Deprecating and banning artifacts with repository metadata

[Wendy Smoak <ws...@gmail.com>]

A group I work with had a requirement to be able to deprecate and ban
old versions of their artifacts.  The dev team is very large and
simply sending out an email telling everyone not to use version 1.0 of
some artifact won't work.  The team needed a way to warn and/or
enforce that the old version is no longer supported and should not (or
must not) be used.

I think they started out writing a rule for the Enforcer plugin, but
at some point it turned into a separate plugin.  (There was a concern
about teams simply re-configuring the Enforcer plugin to get around
the rules.)

In the repository, they have a versions-metadata.xml file sitting next
to the maven-metadata.xml file.  The plugin examines all the
dependencies in the build and looks for the versions-metadata.xml
file to see if it needs to warn or fail.

They're considering contributing the plugin and are wondering whether
it sounds useful to the general Maven community before they start
wading through the corporate legal stuff that would be necessary to
make that happen.

Does it sound like something you might use?  Let me know if you want
more details on it, or perhaps one of the devs that's involved will
chime in.

Thanks,
-- 
Wendy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Deprecating and banning artifacts with repository metadata

[Ashish Joshi <ma...@gmail.com>]

Hi,

The problem with this approach is that the consumer of the dependencies
needs to know what dependencies are prohibited. 

The plugin which Wendy mentioned tries to address this problem. The way it
will work is

1. Consumers need not configure any list within their POMs, just a reference
to the plugin in their plugins section. They can also configure if they want
to fail the build or just have warnings.
2. During execution the plugin will look for the version-metadata file in
repository for every dependency.
3. See if the current version being downloaded matches any of the
deprecation or ban version
4, If it does, it will throw a warning or error message. Depending on the
user setting, this will either fail the build or just generate a log
statement.

This will free consumers of keeping a track of what dependencies are
prohibited as it will automatically come in their reports.

Also it enables the producers of the components to indicate anytime that
they are no longer supporting a particular version. All consumers consuming
that dependency will start getting warning/errors in their build
automatically without any explicit change in their POMs.


Ashish 


Freddy Mallet wrote:
> 
> Hi,
> 
> FYI I've created a ticket few months ago to create such Sonar plugin :
> http://jira.codehaus.org/browse/SONARPLUGINS-41.
> 
> This Sonar plugin could work like this :
> 
> 1 -  Accept a text list of prohibited dependencies. For instance :
>         libGroupeId1:libArtifactId1:[libScope1]:[libType1]:(,libVersion1]
>         libGroupeId2:libArtifactId2:[libScope2]:[libType2]:(,libVersion2]
>         ....
> 
> 2 - Automatically configure and launch the Maven dependency plugin (
> http://maven.apache.org/plugins/maven-dependency-plugin/) to dump the
> dependency tree in a report file
> 
> 3 - Read the report file, look for dependencies which could match the
> prohibited ones and insert those violations in the Sonar DB
> 
> I'll glad to support anyone interested by writing such plugin.
> Freddy
> 
> ----------------------------------------
> Freddy Mallet
> www.SonarSource.com
> Sonar.codehaus.org
> http://twitter.com/FreddyMallet
> ----------------------------------------
> 
> 
> On Fri, Sep 11, 2009 at 11:00 PM, Jim Sellers <ji...@gmail.com>
> wrote:
> 
>> Sounds useful to me.
>>
>> We were going to build a similar plugin - but the plan for it to be a
>> sonar
>> plugin rather than a maven plugin.
>>
>> Jim
>>
>>
>> On Fri, Sep 11, 2009 at 10:23 AM, Ben Lidgey <BLidgey@movenetworks.com
>> >wrote:
>>
>> >
>> > It sounds like it could be useful, but perhaps with a warning as there
>> are
>> > maintenance projects applying bug fixes to existing projects that may
>> not
>> > want to update older components to avoid too many changes.
>> >
>> > Ben
>> >
>> >
>> > On 10/09/2009 22:03, "Wendy Smoak" <ws...@gmail.com> wrote:
>> >
>> > A group I work with had a requirement to be able to deprecate and ban
>> > old versions of their artifacts.  The dev team is very large and
>> > simply sending out an email telling everyone not to use version 1.0 of
>> > some artifact won't work.  The team needed a way to warn and/or
>> > enforce that the old version is no longer supported and should not (or
>> > must not) be used.
>> >
>> > I think they started out writing a rule for the Enforcer plugin, but
>> > at some point it turned into a separate plugin.  (There was a concern
>> > about teams simply re-configuring the Enforcer plugin to get around
>> > the rules.)
>> >
>> > In the repository, they have a versions-metadata.xml file sitting next
>> > to the maven-metadata.xml file.  The plugin examines all the
>> > dependencies in the build and looks for the versions-metadata.xml
>> > file to see if it needs to warn or fail.
>> >
>> > They're considering contributing the plugin and are wondering whether
>> > it sounds useful to the general Maven community before they start
>> > wading through the corporate legal stuff that would be necessary to
>> > make that happen.
>> >
>> > Does it sound like something you might use?  Let me know if you want
>> > more details on it, or perhaps one of the devs that's involved will
>> > chime in.
>> >
>> > Thanks,
>> > --
>> > Wendy
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> > For additional commands, e-mail: users-help@maven.apache.org
>> >
>> >
>> >
>> >
>> > E-Mail : blidgey@movenetworks.com
>> > ______________________________________
>> > Move Networks UK
>> > Enterprise House
>> > Navigation Park
>> > Abercynon
>> > CF45 4SN
>> > t: +44 (0)8445 460100
>> > f: +44 (0)8445 460200 / (0)1443 742 568
>> > w: www.movenetworks.com
>> >
>> >
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/Deprecating-and-banning-artifacts-with-repository-metadata-tp25391001p25427364.html
Sent from the Maven - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Deprecating and banning artifacts with repository metadata

[Freddy Mallet <fr...@gmail.com>]

Hi,

FYI I've created a ticket few months ago to create such Sonar plugin :
http://jira.codehaus.org/browse/SONARPLUGINS-41.

This Sonar plugin could work like this :

1 -  Accept a text list of prohibited dependencies. For instance :
        libGroupeId1:libArtifactId1:[libScope1]:[libType1]:(,libVersion1]
        libGroupeId2:libArtifactId2:[libScope2]:[libType2]:(,libVersion2]
        ....

2 - Automatically configure and launch the Maven dependency plugin (
http://maven.apache.org/plugins/maven-dependency-plugin/) to dump the
dependency tree in a report file

3 - Read the report file, look for dependencies which could match the
prohibited ones and insert those violations in the Sonar DB

I'll glad to support anyone interested by writing such plugin.
Freddy

----------------------------------------
Freddy Mallet
www.SonarSource.com
Sonar.codehaus.org
http://twitter.com/FreddyMallet
----------------------------------------


On Fri, Sep 11, 2009 at 11:00 PM, Jim Sellers <ji...@gmail.com> wrote:

> Sounds useful to me.
>
> We were going to build a similar plugin - but the plan for it to be a sonar
> plugin rather than a maven plugin.
>
> Jim
>
>
> On Fri, Sep 11, 2009 at 10:23 AM, Ben Lidgey <BLidgey@movenetworks.com
> >wrote:
>
> >
> > It sounds like it could be useful, but perhaps with a warning as there
> are
> > maintenance projects applying bug fixes to existing projects that may not
> > want to update older components to avoid too many changes.
> >
> > Ben
> >
> >
> > On 10/09/2009 22:03, "Wendy Smoak" <ws...@gmail.com> wrote:
> >
> > A group I work with had a requirement to be able to deprecate and ban
> > old versions of their artifacts.  The dev team is very large and
> > simply sending out an email telling everyone not to use version 1.0 of
> > some artifact won't work.  The team needed a way to warn and/or
> > enforce that the old version is no longer supported and should not (or
> > must not) be used.
> >
> > I think they started out writing a rule for the Enforcer plugin, but
> > at some point it turned into a separate plugin.  (There was a concern
> > about teams simply re-configuring the Enforcer plugin to get around
> > the rules.)
> >
> > In the repository, they have a versions-metadata.xml file sitting next
> > to the maven-metadata.xml file.  The plugin examines all the
> > dependencies in the build and looks for the versions-metadata.xml
> > file to see if it needs to warn or fail.
> >
> > They're considering contributing the plugin and are wondering whether
> > it sounds useful to the general Maven community before they start
> > wading through the corporate legal stuff that would be necessary to
> > make that happen.
> >
> > Does it sound like something you might use?  Let me know if you want
> > more details on it, or perhaps one of the devs that's involved will
> > chime in.
> >
> > Thanks,
> > --
> > Wendy
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> > For additional commands, e-mail: users-help@maven.apache.org
> >
> >
> >
> >
> > E-Mail : blidgey@movenetworks.com
> > ______________________________________
> > Move Networks UK
> > Enterprise House
> > Navigation Park
> > Abercynon
> > CF45 4SN
> > t: +44 (0)8445 460100
> > f: +44 (0)8445 460200 / (0)1443 742 568
> > w: www.movenetworks.com
> >
> >
>

Re: Deprecating and banning artifacts with repository metadata

[Jim Sellers <ji...@gmail.com>]

Sounds useful to me.

We were going to build a similar plugin - but the plan for it to be a sonar
plugin rather than a maven plugin.

Jim


On Fri, Sep 11, 2009 at 10:23 AM, Ben Lidgey <BL...@movenetworks.com>wrote:

>
> It sounds like it could be useful, but perhaps with a warning as there are
> maintenance projects applying bug fixes to existing projects that may not
> want to update older components to avoid too many changes.
>
> Ben
>
>
> On 10/09/2009 22:03, "Wendy Smoak" <ws...@gmail.com> wrote:
>
> A group I work with had a requirement to be able to deprecate and ban
> old versions of their artifacts.  The dev team is very large and
> simply sending out an email telling everyone not to use version 1.0 of
> some artifact won't work.  The team needed a way to warn and/or
> enforce that the old version is no longer supported and should not (or
> must not) be used.
>
> I think they started out writing a rule for the Enforcer plugin, but
> at some point it turned into a separate plugin.  (There was a concern
> about teams simply re-configuring the Enforcer plugin to get around
> the rules.)
>
> In the repository, they have a versions-metadata.xml file sitting next
> to the maven-metadata.xml file.  The plugin examines all the
> dependencies in the build and looks for the versions-metadata.xml
> file to see if it needs to warn or fail.
>
> They're considering contributing the plugin and are wondering whether
> it sounds useful to the general Maven community before they start
> wading through the corporate legal stuff that would be necessary to
> make that happen.
>
> Does it sound like something you might use?  Let me know if you want
> more details on it, or perhaps one of the devs that's involved will
> chime in.
>
> Thanks,
> --
> Wendy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>
>
>
> E-Mail : blidgey@movenetworks.com
> ______________________________________
> Move Networks UK
> Enterprise House
> Navigation Park
> Abercynon
> CF45 4SN
> t: +44 (0)8445 460100
> f: +44 (0)8445 460200 / (0)1443 742 568
> w: www.movenetworks.com
>
>

Re: Deprecating and banning artifacts with repository metadata

[Ben Lidgey <BL...@movenetworks.com>]

It sounds like it could be useful, but perhaps with a warning as there are maintenance projects applying bug fixes to existing projects that may not want to update older components to avoid too many changes.

Ben


On 10/09/2009 22:03, "Wendy Smoak" <ws...@gmail.com> wrote:

A group I work with had a requirement to be able to deprecate and ban
old versions of their artifacts.  The dev team is very large and
simply sending out an email telling everyone not to use version 1.0 of
some artifact won't work.  The team needed a way to warn and/or
enforce that the old version is no longer supported and should not (or
must not) be used.

I think they started out writing a rule for the Enforcer plugin, but
at some point it turned into a separate plugin.  (There was a concern
about teams simply re-configuring the Enforcer plugin to get around
the rules.)

In the repository, they have a versions-metadata.xml file sitting next
to the maven-metadata.xml file.  The plugin examines all the
dependencies in the build and looks for the versions-metadata.xml
file to see if it needs to warn or fail.

They're considering contributing the plugin and are wondering whether
it sounds useful to the general Maven community before they start
wading through the corporate legal stuff that would be necessary to
make that happen.

Does it sound like something you might use?  Let me know if you want
more details on it, or perhaps one of the devs that's involved will
chime in.

Thanks,
--
Wendy

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org




E-Mail : blidgey@movenetworks.com
______________________________________
Move Networks UK
Enterprise House
Navigation Park
Abercynon
CF45 4SN
t: +44 (0)8445 460100
f: +44 (0)8445 460200 / (0)1443 742 568
w: www.movenetworks.com