On 03/23/2010 01:01 AM, Kevan Miller wrote:
On Mar 20, 2010, at 4:45 PM, Brian Fox wrote:
At the Central repository we are restricting the inclusion of external
repositories because this generally creates a mess. This is being
enforced on new artifacts coming in so I would recommend you do not
add them or your artifacts themselves will end up blocked. A better
choice is to encourage the missing dependency projects to get their
stuff into Central, or find some compatible libraries that are.
Interesting. That's news to me... You have a pointer to more information?
This definitely is news to me as well.
Other than the link provided by the original poster, http://maven.apache.org/guides/mini/guide-central-repository-upload.html, I can't find
much about this new policy, nor much details.
While I clearly support the goal of improving Central repository quality, this solution really caught me by (unpleasant) surprise and raises
several questions which I would like to get answered.
* Unclear from the documentation is if this restriction on external repositories is limited to only the repository definitions in a pom, or
if it is (or will be) extended to dependency resolving as well.
If not all dependencies can be resolved to Central itself, would that be
"flagged" too and also cause blocking the artifact(s) ?
* At what stage is this policy "enforced"? I'm thinking of Apache Repository when we deploy and release. Would a violation of this policy
already be noticed (and reported) while doing a staging release, or only at the final release to Maven Central?
The latter clearly would be too little too late IMO.
Note: we're using Apache Repository for snapshot deployments right now, and I haven't seen any "warning" about us referencing external
repositories.
* Does this new policy also affect the processing and handling of the "legacy"
rsync repositories at /www/people.apache.org/repo?
If it does, or even only partly, please let us know how and to what extend.
Note: we're planning a bugfix release shortly of an older version of
Jetspeed-2, version 2.1.4 (Apache Portals).
That version of Jetspeed-2 doesn't and cannot use the new Apache master pom nor Apache Repository as it would require too major changes for
the whole project configuration itself. The current Jetspeed-2 version 2.2.0 has been released through Apache Repository, and we're planning
a new release 2.2.1 shortly too. However, for Jetspeed 2.1.4 we'll still have to use the "legacy" rsync procedure.
For both these versions we depend on a few external repositories and dependencies and having to "fix" those (shortly) really will pose a
problem for us.
* A policy change like this will IMO affect and *restrict* any and all Apache maven build based projects who want or are supposed to deploy
to Maven Central. *Apache* policy does not in any way restrict (maven) dependencies on external repositories as long as the ASL license is
honored. For whatever reason, this new Maven Central policy now seems to require all external dependencies be (at least also) be available
from it.
* Where, when, and by whom is this new policy discussed and decided upon? Or was this
merely something that happened "overnight"?
As this policy affects (at least) all ASF maven based projects, its seems to me something which should not be decided within only the Maven
*project* alone.
I'm not so sure this really is desired nor if it will lead to the intended goal.
As I understand it, this policy requires *all* maven artifacts anyone (and especially ASF projects) would like to build against, to be
deployed in Maven Central. While other external repositories surely can and may exist, not so for Maven Central.
I honestly don't see how that can end up as a good solution. A single monolithic
repository to "rule them all" just doesn't seem right to me.
What about other, generally respected and IMO also fine repositories like
http://download.java.net/maven/2 ?
By excluding them, we're cutting off a large potential of code reuse and community benefits, or otherwise putting a large burden on those
depending on such external projects by forcing them to dual deploy to Maven Central as well.
I can imagine for some or many of those "external" repository project owners, or the users needing their artifacts, this burden is too much
to ask. Which could mean they will start ignore Maven Central all together and instead start or increase deploying (duplicating) their
artifacts elsewhere.
For Apache projects who "follow the guidelines", meaning leveraging Apache Repository and the Apache master pom configuration to streamline
and "automate" the Apache release process, going "elsewhere" is not really an option.
They will have to fix all these external (repository) dependencies, if even possible *just for the sake of Maven Central, or else indeed
"cut the cord" and go "independent"...
I really hope I'm missing the point here and none of this is going to cause
much trouble after all.
Please enlighten me!
Regards,
Ate
--kevan
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
