geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason van Zyl <ja...@maven.org>
Subject Re: no more modules for specs...
Date Sat, 16 Dec 2006 13:51:44 GMT

On 16 Dec 06, at 3:40 AM 16 Dec 06, David Jencks wrote:

>
> On Dec 15, 2006, at 11:05 PM, Jason van Zyl wrote:
> <big snip>
>>
>> Then don't use those repos, or label them as snapshot repos. As  
>> far as Geronimo is concerned why do you need anything more then  
>> central as a source? Aside from your SNAPSHOT dependencies.
>>
>> This will only stop when Archiva is in full effect. The only way  
>> to submit anything to central will be via Archiva. Any project who  
>> wishes to have the same stability will only take artifacts that  
>> have passed through and instance of Archiva. You'll know you're  
>> using an instance of Archiva because we'll have a wagon for doing  
>> that and it will be configured. It will eventually be the default.  
>> It will simply be the Grizzly client and Jetty using the Grizzly  
>> connector.
>
> Jason, one thing I'd like to point out here is that to a large  
> extent jdillon has been saying "the current state of maven remote  
> repos is unreliable" and you are saying, "no, as soon as we get  
> archiva, signatures, audit trails, etc etc etc working they will be  
> reliable".  That's agreeing with jdillon that the current state of  
> maven remote repos is unreliable since they don't have signed  
> artifacts and an audit trail (at least).  Just because you wish  
> remote repos worked and were reliable does not mean they are  
> today.  I personally don't think they will be satisfactory until  
> you have a revocation procedure in place as well as signing and an  
> audit trail.  I suspect that making this distributed system  
> reliable is going to be much much harder than you imagine: I hope  
> I'm wrong because if it works it would be really great.

The central repository itself has always been pretty stable with no  
safeguards. I realize not having these safeguards is not great but  
things don't just disappear off that machine. We have a huge problem,  
it appears,  with the syncs we are pulling in automatically.  
Organization wide syncs are soon going to stop and it's going to be  
per-project so that when garbage appears we will know immediately  
who's polluting the repository, Archiva will also keep track of  
deletions. So yes, I agree on one hand that we need a watchdog in  
place but we are not randomly jumbling stuff around on the central  
repository. We're getting burned from our source syncs and the misuse  
of SNAPSHOT repositories for the most part.
>
> Another comment I will make is that I am fairly sure there are  
> severe bugs in the maven artifact resolution process when snapshots  
> are present.

There are a huge number, I believe it's completely unreliable and  
it's going to need an overhaul. It was very apparent from my last  
round of travels that in many cases especially when snapshots are  
used there are severe problems. I think we underestimated the use  
snapshots and how prevalent their use would be for external  
dependencies.

> This is because if I remove all org.apache.geronimo.modules  
> artifacts from my local repo and build the corresponding part of  
> geronimo, if I build online I usually get errors together with  
> downloaded timestamped artifacts whereas if I build offline the  
> build succeeds.

Yup, that's a patch we applied for Jason to provide a stopgap  
solution. Where no snapshots will be updated when building.

> Note carefully that I am only building geronimo artifacts and there  
> is no change whatsoever in non-geronimo artifacts in my local  
> repo.  I think nearly every time we've made a change involving more  
> than one module since we started using m2 and pushing snapshots to  
> the snapshot repo we've had user complaints that the build is  
> broken, and the solution always is to build offline.

Snapshots are an inherit instability but there are definitely error  
in working with snapshots in maven-artifact and it's bad. I see it as  
the most critical problem with 2.0.x. But moving toward using less of  
them even if that's locking to some timestamped versions will help  
greatly.

>
> Your complaints about any already released geronimo artifacts are  
> totally irrelevant  unless you want to recommend we move back to m1  
> since the 1.2-beta and 2.0-M1 are the first releases we've tried to  
> do with m2 (except for specs, which got messed up in various other  
> ways but have not been a giant problem until recently).

With m1 or m2 a release with snapshots is deadly. The practice seems  
to be something present regardless of what version of Maven you're  
using. The concept of a SNAPSHOT is the same in both versions though  
implemented differently.

Even in the face of the instability with SNAPSHOT handling in m2 I  
think you can eliminate a lot of it by getting off many of your  
SNAPSHOTs and I am trying to get out 2.0.5 which now contains a fix  
that always takes SNAPSHOTs locally if you have them.

Jason.

>
> thanks
> david jencks
>
>


Mime
View raw message