Return-Path: 
 <users-return-135327-apmail-maven-users-archive=maven.apache.org@maven.apache.org>
X-Original-To: apmail-maven-users-archive@www.apache.org
Delivered-To: apmail-maven-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 59EB310B91
	for <apmail-maven-users-archive@www.apache.org>;
 Mon,  3 Feb 2014 07:22:26 +0000 (UTC)
Received: (qmail 4215 invoked by uid 500); 3 Feb 2014 07:22:22 -0000
Delivered-To: apmail-maven-users-archive@maven.apache.org
Received: (qmail 3638 invoked by uid 500); 3 Feb 2014 07:22:08 -0000
Mailing-List: contact users-help@maven.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:users-unsubscribe@maven.apache.org>
List-Help: <mailto:users-help@maven.apache.org>
List-Post: <mailto:users@maven.apache.org>
List-Id: "Maven Users List" <users.maven.apache.org>
Reply-To: "Maven Users List" <users@maven.apache.org>
Delivered-To: mailing list users@maven.apache.org
Received: (qmail 3629 invoked by uid 99); 3 Feb 2014 07:22:05 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Feb 2014 07:22:05 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of anders.g.hammar@gmail.com
 designates 74.125.82.47 as permitted sender)
Received: from [74.125.82.47] (HELO mail-wg0-f47.google.com) (74.125.82.47)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Feb 2014 07:21:59 +0000
Received: by mail-wg0-f47.google.com with SMTP id m15so11528177wgh.14
        for <users@maven.apache.org>; Sun, 02 Feb 2014 23:21:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:content-type;
        bh=rsZWn2yaSVfNf/ZV0GYxL6zIogfvtnr+rxxlVXnU3dU=;
        b=o3lSjKGc9ZKaeaarF+1b8JumEjmguqBEYfaU4iRXsIS/nVubd9QbW3VKbUorr9de0h
         829l7PHXPg9+MRdmus6tOWPQZjDV0NvE4v+PDjfdVCcUZGx1APXFjuJI9hjGQ+d7j6Y+
         D3viFCrlKU4GpEV/3r7fPiyYit/rwS+6dVvFDBt8jDTrzDRJUHq6FZKbaXHZ1WFmNFDP
         FlF0ZfZFBth3Rw0iFzy1rPkpBbrKK+M9TD9F61StNyV1ZWtYmfDEk5COuY9MnQ8R613e
         wxwiBKYQpXQslNs3JNnAL+/zKXtronznhO4zMH8XwrjXUxoObxav3u0NYo1WkszTKb6g
         qbQw==
MIME-Version: 1.0
X-Received: by 10.195.13.113 with SMTP id ex17mr23036648wjd.0.1391412098607;
 Sun, 02 Feb 2014 23:21:38 -0800 (PST)
Sender: anders.g.hammar@gmail.com
Received: by 10.194.137.100 with HTTP; Sun, 2 Feb 2014 23:21:38 -0800 (PST)
In-Reply-To: 
 <CAOonoheiu4EWX6p_g=FJHkRHqmBaG+PJoFbeS=7M9nh+DQhA5g@mail.gmail.com>
References: 
 <CAOonohfsbrJ-7pxsEYFhLJvzb9KS+V6tnM0Je46Ep3m8YLFWSg@mail.gmail.com>
	<CAKDUN1vjCWVKV8BQZkjAW4Xb96z_41mhRmP=TNzLHxaX=YdCGg@mail.gmail.com>
	<CAOonohc6YwtXH-LtEHv3PGnv57cQ0YjWUvcTp9VZ1+Bj8DN7sQ@mail.gmail.com>
	<CAKDUN1v-0t+DhVnYi3CXFa_0UBs+KXXnR3jeDWqaETFQOO8r=Q@mail.gmail.com>
	<CAOonoheiu4EWX6p_g=FJHkRHqmBaG+PJoFbeS=7M9nh+DQhA5g@mail.gmail.com>
Date: Mon, 3 Feb 2014 08:21:38 +0100
X-Google-Sender-Auth: F2ZvFWeVrO2PdmGgtEEbBSo-mwY
Message-ID: 
 <CAKDUN1swy7w7bjj12f7kffY=d-fD=eOThpz-tLgMg7dfBjaC_g@mail.gmail.com>
Subject: Re: dependency management across projects
From: Anders Hammar <anders@hammar.net>
To: Maven Users List <users@maven.apache.org>
Content-Type: multipart/alternative; boundary=047d7bfcf00adfb01804f17b5f84
X-Virus-Checked: Checked by ClamAV on apache.org

--047d7bfcf00adfb01804f17b5f84
Content-Type: text/plain; charset=ISO-8859-1

>
> > The release of the BOM would be that release of "a single coherent unit"
> > then. It would specify the (marketing) version of the "platform" P.
> > For example, P v1.0.0 will include v1.2.3 of SP1 (sub-product 1), v1.4.3
> of
> > SP2, etc.
>
> Isn't it what I just write in my original post? (without mentioning the
> BOM)
>

I believe so, yes. The key thing in my "solution" is the BOM. And the BOM
will keep the appropriate version of the the sub-products together.



> The very point I am trying to make here is
> "how do you manage that manual BOM on a daily basis". Each sub-project has
> its own release cycle and we cannot force the versions it has to use for a
> specific branch. For instance, the product might state that the dependency
> D should be 2.2.0 (because that's the latest or the one that people
> generally use) but for backward compatibility reason SP2 has to use 1.8.0.
>

There is no automatic solution for this that I know of. I suppose that
tolls could be created, but keep in mind that in the end, "for backward
compatibility reason SP2 has to use 1.8.0" is normally a human decision.

/Anders


>
> Creating manually the first BOM for P v1.0.0 isn't a problem: i've created
> a set of tools that I am happy to share once they are fully ready. But
> maintaining that BOM in the long run is more of a challenge (because we
> can't force the sub-projects to use those versions so we have to monitor
> what happens in each sub-project to take the appropriate version at the
> product level).
>
> Thanks again for the feedback!
>
> S.
>
>
> >
> > /Anders
> >
> >
> > >
> > >
> > > >
> > > >
> > > > There is also the possibility of creating a "grouping pom", which
> lists
> > > all
> > > > artifacts as dependencies. You would then declare a dependency to
> that
> > > > grouping pom and get all deps magically sucked in. However, this is
> not
> > > > really the "Maven way" in my opinion as you wouldn't specify your
> > direct
> > > > deps bu sort of relly on transitive deps. There are some fans of this
> > > > approach though here on this list.
> > > >
> > > >
> > > > > 2. Build configs that *force* each sub-project to run with the list
> > of
> > > > > dependencies for the project (to ensure all tests pass, etc). This
> is
> > > to
> > > > be
> > > > > used alongside the regular build job for validation purpose
> > > > >
> > > >
> > > > Maybe some enforcer rule?
> > > >
> > >
> > > Like I said, this is to be used alongside the regular build job. So my
> > SP4
> > > 1.2.0-SNAPSHOT is building with a set of dependencies on its own and I
> > want
> > > to validate that with the dependencies of the target release for P, it
> is
> > > also working just fine. It may just be the same ideally or slightly
> > > different (or not slightly at all which requires an explicit
> validation).
> > >
> > > So I need to be able to swap those versions for validation purposes and
> > run
> > > the build with that.
> > >
> > > S.
> > >
> > >
> > >
> > > >
> > > > /Anders
> > > >
> > > >
> > > > >
> > > > > I started to look at this and my first trial was to generate a
> report
> > > > with
> > > > > all the dependencies of each project and build a consolidated
> report
> > > > that I
> > > > > can match against the candidates. This would help manage the first
> > goal
> > > > as
> > > > > if a dependency gets added, removed or updated, the global
> > > > > dependencyManagement has to be impacted manually (do we upgrade or
> > not,
> > > > > etc).
> > > > >
> > > > > For the second part, it's not easy to force a dependency change in
> > > Maven,
> > > > > especially if the version has been specified at the project level.
> > > > >
> > > > > Thanks for reading that far. If you have any idea or know any
> > > > organisation
> > > > > that tried to implement that, I'd be interested
> > > > >
> > > > > Thanks!
> > > > > S.
> > > > >
> > > >
> > >
> >
>

--047d7bfcf00adfb01804f17b5f84--