maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <>
Subject Re: Surprise DEPENDENCIES file from a maven plugin
Date Tue, 12 May 2015 15:04:25 GMT
On Tue, May 12, 2015 at 1:38 AM, Karl Heinz Marbaise <> wrote:
> Hi Christopher,
> the DEPENDENCIES file is generated by the maven-remote-resources-plugin
> Lines 308-323 ...

Thanks. It seems (to me) like this might be a bug with
maven-remote-resources-plugin... this file seems to only exist in the
root of the project (which is our  intermediate parent POM), and seems
to generate an empty file (except for the header), because our
project's parent POM has no dependencies. It's a completely worthless
file. It does not get added to any of the child modules, where it
might actually be useful (because they actually have dependencies).

Further, it seems like a bug because plugins shouldn't really be
modifying stuff outside of ${} usually. Does
anybody know the history of this behavior, and what this file's
purpose is?

> On 5/11/15 11:35 PM, Christopher wrote:
>> This file seems to fail the apache-rat check, and makes the
>> -source-release.tar.gz fail to match the SHA-1 git commit.
> I see fialing the apache-rat check but the SHA-1 git commit i don't
> understand ?

I mean: the -source-release.tar.gz includes this file, but the release
tag in git does not. Thus, our official source release tarball does
not match any actual tag in SCM, which is unexpected.

Another problem is that adding this file "dirties" the clean checkout
of the tag during "release:perform", and as a result, a plugin we have
configured to insert the git commit id (SHA-1) into the MANIFEST.MF
files for the "Implementation Build" gets marked with a "-dirty"
suffix, to indicate the release build was modified since checkout from
the tag (which is normally a bad thing).

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message