maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <>
Subject Re: Surprise DEPENDENCIES file from a maven plugin
Date Tue, 12 May 2015 16:46:22 GMT
For what it's worth, I found a workaround: add my own DEPENDENCIES
file to SCM. The remote-resources plugin doesn't appear to clobber
existing files.

Christopher L Tubbs II

On Tue, May 12, 2015 at 11:04 AM, Christopher <> wrote:
> On Tue, May 12, 2015 at 1:38 AM, Karl Heinz Marbaise <> wrote:
>> Hi Christopher,
>> the DEPENDENCIES file is generated by the maven-remote-resources-plugin
>> Lines 308-323 ...
> Thanks. It seems (to me) like this might be a bug with
> maven-remote-resources-plugin... this file seems to only exist in the
> root of the project (which is our  intermediate parent POM), and seems
> to generate an empty file (except for the header), because our
> project's parent POM has no dependencies. It's a completely worthless
> file. It does not get added to any of the child modules, where it
> might actually be useful (because they actually have dependencies).
> Further, it seems like a bug because plugins shouldn't really be
> modifying stuff outside of ${} usually. Does
> anybody know the history of this behavior, and what this file's
> purpose is?
> [snip]
>> On 5/11/15 11:35 PM, Christopher wrote:
> [snip]
>>> This file seems to fail the apache-rat check, and makes the
>>> -source-release.tar.gz fail to match the SHA-1 git commit.
>> I see fialing the apache-rat check but the SHA-1 git commit i don't
>> understand ?
> [snip]
> I mean: the -source-release.tar.gz includes this file, but the release
> tag in git does not. Thus, our official source release tarball does
> not match any actual tag in SCM, which is unexpected.
> Another problem is that adding this file "dirties" the clean checkout
> of the tag during "release:perform", and as a result, a plugin we have
> configured to insert the git commit id (SHA-1) into the MANIFEST.MF
> files for the "Implementation Build" gets marked with a "-dirty"
> suffix, to indicate the release build was modified since checkout from
> the tag (which is normally a bad thing).

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message