Auditing version ranges

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Auditing version ranges

org.apache.maven.user
Hello.

I've recently been considering moving to byte-for-byte reproducible
builds of my software packages. It seems fairly easy to get there via
plugins such as the reproducible-build-maven-plugin [0] as long as the
build isn't otherwise unreproducible, but one thing that I am unsure of
is whether or not it's possible to detect and fail the build if a
(transitive) dependency is using version ranges.

For example, if I declare a dependency on a package P and P declares a
dependency on Q using a version range, then my build is effectively
nondetermimistic (because a new version of Q may appear at any time).
As a consumer of P, I may be totally unaware of Q and therefore won't
know to override the versions of Q in my own dependencyManagement
section.

Is there a plugin that can reject the use of version ranges anywhere in
the transitive dependency tree?

I'm currently using scijava's plugin to reject snapshot versions [1],
and am using the dependency plugin to fail builds with undeclared
dependencies.

[0] https://github.com/Zlika/reproducible-build-maven-plugin
[1] https://github.com/scijava/scijava-maven-plugin

--
Mark Raynsford | http://www.io7m.com

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Auditing version ranges

Thomas Broyer-2
Maven Enforcer Plugin's Require Upper Bound Dependencies might be enough
for your use-case (also notice there's a Require Release Dependencies rule
to prohibit snapshot dependencies)
http://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html

Le mar. 15 août 2017 12:06, Mark Raynsford <[hidden email]>
a écrit :

> Hello.
>
> I've recently been considering moving to byte-for-byte reproducible
> builds of my software packages. It seems fairly easy to get there via
> plugins such as the reproducible-build-maven-plugin [0] as long as the
> build isn't otherwise unreproducible, but one thing that I am unsure of
> is whether or not it's possible to detect and fail the build if a
> (transitive) dependency is using version ranges.
>
> For example, if I declare a dependency on a package P and P declares a
> dependency on Q using a version range, then my build is effectively
> nondetermimistic (because a new version of Q may appear at any time).
> As a consumer of P, I may be totally unaware of Q and therefore won't
> know to override the versions of Q in my own dependencyManagement
> section.
>
> Is there a plugin that can reject the use of version ranges anywhere in
> the transitive dependency tree?
>
> I'm currently using scijava's plugin to reject snapshot versions [1],
> and am using the dependency plugin to fail builds with undeclared
> dependencies.
>
> [0] https://github.com/Zlika/reproducible-build-maven-plugin
> [1] https://github.com/scijava/scijava-maven-plugin
>
> --
> Mark Raynsford | http://www.io7m.com
>
Reply | Threaded
Open this post in threaded view
|

Re: Auditing version ranges

org.apache.maven.user
On 2017-08-15T13:23:17 +0000
Thomas Broyer <[hidden email]> wrote:

> Maven Enforcer Plugin's Require Upper Bound Dependencies might be enough
> for your use-case (also notice there's a Require Release Dependencies rule
> to prohibit snapshot dependencies)
> http://maven.apache.org/enforcer/enforcer-rules/requireUpperBoundDeps.html

Thanks, didn't see that one. I'll give it a shot.

--
Mark Raynsford | http://www.io7m.com

attachment0 (849 bytes) Download Attachment