maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Scholte" <>
Subject Re: Next Maven prerequisite for Maven Plugins
Date Mon, 13 Oct 2014 18:53:24 GMT
Op Sun, 12 Oct 2014 16:10:47 +0200 schreef Benson Margulies  

> On Sun, Oct 12, 2014 at 9:25 AM, Karl Heinz Marbaise <>  
> wrote:
>> Hi Robert,
>> from my point of view minimum to 3.0.5 ...nothing below...afterwards
>> 3.1.1.....and then 3.2.1...the latest releases from the appropriate  
>> release
>> lines 3.0.X, 3.1.X, 3.2.X,....
>> I wouldn't go to 3.1.0 at the moment cause that could be  
>> confusing....from
>> user point of view...than there is a gap...
>> 2.2.1
>> 3.1.1
>> From my side...
> Here's what I _think_ is going on here. Two issues.
> First, Maven 3.0 was a bit of a camel; there are a number of issues
> with how Aether and such are plugged in that lead to problems in
> plugin development. Witness the mess in the dependency plugin as it
> tried/tries to straddle. So, there's a desire to pull the floor up on
> the plugins in the hopes of getting to the point where, in general,
> plugin developers are dealing with a rationalized view of artifacts,
> dependencies, the like.

I agree that we underestimated the impact of changing from Sonatypes  
Aether to Eclipses Aether.
It has happened and all plugins related have now been fixed for both  
Aether versions.
So we're kind of okay here, though this part will stay tricky (for  
committers and contributors) as long as we need to support both Aether  

> Second. this group made a decision to stop supporting Maven 2.x core,
> period. So, it seemed that a reasonable sequel to that was to pull the
> floor up to, at least, the lowest supported version of the core. Is
> anyone here committed to making 3.0 alpha-x bugfix releases? No; at
> most, someone might be willing to make another 3.0.x. So requiring
> 3.0.x to get new versions of plugins makes logical sense to me. If, in
> fact, no one is willing to make even a 3.0.x release, we should
> 'unsupport' 3.0.x in the same way we unsupported 2.2.x. I'm not
> _advocating_ here.

I agree that is should be the lowest, i.e. 3.0.x plugins should be able to  
run with 3.0 and above.
In fact 2.2.1 could also be called the lowest since we marked 2.2.0 as an  
corrupt/invalid release.


>> Kind regards
>> Karl Heinz Marbaise
>>> Hi,
>>> Right now we change the Maven prerequisite to 2.2.1 and I noticed some
>>> new issues which already want to move it forward to 3.0.4. I wonder why
>>> to move to this version.
>>> Most (API-)changes have been introduced with the 3.0 alpha and beta
>>> releases. I don't think that the other 3.0.x releases provide that much
>>> more changes.
>>> So I would say that changing the required Maven version would be 3.0.
>>> *If* we want to force users not to use 3.0.4 due to the CVE-2013-0253,
>>> we should say that 3.0.5 is the next required version of Maven.
>>> And I could go one step further: if we want to get rid of the
>>> compatibility overhead for Aether (Sonatype versus Eclipse) we should
>>> change it to 3.1.0
>>> So I'd prefer to move forward to 3.0, maybe even to 3.1.0, but not to
>>> 3.0.4 unless there are better reasons then I mentioned above.
>>> Any other opinions?
>>> thanks,
>>> Robert
>> Kind regards
>> Karl Heinz Marbaise
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message