geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: no more modules for specs...
Date Sun, 17 Dec 2006 00:49:52 GMT

On Dec 16, 2006, at 1:58 PM, Jason Dillon wrote:

> On Dec 16, 2006, at 9:33 AM, Jason van Zyl wrote:
>>> IMO, we release source code. Binary distributions and maven  
>>> artifacts are a convenience. If users can't build our source  
>>> code, then there's a problem.
>>
>> You think your users build from sources to make their Geronimo  
>> servers for production or are you talking about just the specs? I  
>> would argue that it's rare for users to want to build everything  
>> from source, but even if they only built the Geronimo sources they  
>> still need all the binary dependencies at which point the quality  
>> of the repository matters. I think the discussion is germane in  
>> the context of your users building production systems from source.
>
> The *user* that wants to build everything from source is me... for  
> automated builds.  For our builds, and I had hoped for our releases  
> too, that use the automated system to produce builds, which are  
> always built from source (for our components) so that I can be 100%  
> assured that when I make a build that I know exactly what code  
> (from our components) was included.


My understanding is that geronimo (and openejb) are going to be using  
the latest released specs that we just voted on until someone finds a  
bug in one of them.

Why do you want to rebuild released jars?  I certainly think the  
automated system should be rebuilding all the non-released code we  
know about, but I don't understand the point of ever rebuilding  
released code.  Is this because you think the jar in the remote repo  
will change?  I would think saving the expected hashcode and  
comparing with the actual hashcode would be more reliable.

I don't really see rebuilding from source as a defense against the  
remote repo changing.  Everyone else is going to be using the remote  
repo, so even if we have a more correct locally built version  
everyone else will be screwed.  I would think using an svn based repo  
or keeping our own audit trail (such as the hashes for every released  
artifact we use) would be more reliable.  If some released artifact  
changes, I think no automated recovery is possible: someone has to  
figure out why and figure out what to do about it, since maven  
allegedly guarantees that it will never happen.

maybe I'm just being stupid.... but I'm not getting it yet.

thanks
david jencks

>
> The remote repo is still there for other users that don't need that  
> assurance or don't have time to go and build everything... but I do  
> want that... and I believe that it is in the best interest of the  
> community to get that too.
>
> --jason
>


Mime
View raw message