On 25 April 2012 09:00, Stephen Connolly <stephen.alan.conno...@gmail.com>wrote:
> On 25 April 2012 08:39, Matthias Pfau <p...@l3s.de> wrote: > >> Hi there, >> yesterday, we noticed that cassandra is currently published with >> inconsistent dependencies. The inconsistencies exist between the published >> pom and the published distribution (tar.gz). >> >> This is a serious issue for us as we are using pom dependencies for >> development/testing and a tarball distribution for production. >> >> I have read >> https://issues.apache.org/**jira/browse/CASSANDRA-850<https://issues.apache.org/jira/browse/CASSANDRA-850>and >> understood that you version all runtime dependencies in lib/ because >> you have to update license files manually and therefore see no benefit in >> using ivy. >> > > Not using ivy any more, switched to Maven ANT tasks.... but same > difference. > > >> >> However, I would like to make the following proposals for solving the >> described issue: >> a.) don't put everything from lib/ on the compile classpath but rather >> each library individually. Extract the versions into constants that are >> used to put the jars from lib/ onto the classpath and to generate a >> consistent pom. >> > > Makes some occasionally invalid assumptions about lib folder versioning > and maven repo versioning. > > >> b.) go a step back and don't version any jars in lib/ but automate the >> retrieval of license files (would do this for you, if needed) >> > > I'd be interested in seeing what reaction you get to this... I suggested > it a while back, but got nowhere > > >> c.) create a fat-jar of all dependencies or relabel all dependencies and >> publish them to the maven repo, too >> > > God no. not c) > > >> >> What do you think? >> >> I am also interested in knowing what you do to workaround this problem! >> And if it is not a problem for you, please tell me why... >> > > Every so often, I get some cycles free and I check the pom for being valid > and push patches to the C* devs. I haven't had many cycles in the 1.0.x > suite of releases. the 0.8.x set should be fairly close, I think only 1 or > 2 releases escaped with different dependencies. Also, for 1 or 2 > dependencies, they are exactly the same but the checksums differ due to > timestamp changes, a deep diff of the bytecode reveals that the > dependencies are effectively the same. Due to having bigger fish to fry, > for those deps I have not bothered fighting to get the lib version changed. > > In general, maintaining the pom is something that can fall off the C* devs > radar... in part because some of the devs are not interested in generating > poms (I suspect as a result of being burned by some of the woefully bad > maven builds I have seen some people force on people [virtually looks at > co-worker and shakes head]) and in part because most of the devs are not > "Maven" people and so do not fully grok the pom itself. > > I will take a quick look and see if I can push a patch, sylvain or > jonathan are usually happy to apply them for me. > https://issues.apache.org/jira/browse/CASSANDRA-4183 created. Note that those two dependencies look to be the only critical diffs. The other diffs are just purely cosmetic by my analysis. > >> >> Kind regards >> Matthias >> > >
