Re: Profiles, builds, and repositories

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Profiles, builds, and repositories

rfscholte
It is even worse. 
Are you familiar with Springboot? 
It has a property for a lot of versions, for both dependencies and plugins.
The idea is that you can override it in your own pom file.
However, you can do it from commandline as well!

When using the maven-release-plugin it is harder to achieve this, but it is still possible.
My rule is that commandline arguments should never have effect on the generated artifacts (so -DskipTests might be acceptable, but -Dmaven.compiler.release=X not)

In the near future we might be able to fix this for the consumer-pom, but it won't make it reproducible from sources.

thanks,
Robert
On 24-1-2020 18:23:01, Elliotte Rusty Harold <[hidden email]> wrote:
Is it possible for a profile to materially affect what gets installed
in a repository, particularly the central repo?

I'm not concerned about minutiae like builds times and other details
the reproducible build work is concerned with. I'm talking about more
major things like which classes are and are not in a jar.

My gut is that this is possible because profiles can change plugins
and plugins can do pretty much anything. Assuming that's so, is there
a way to tell from the data in the repo which profile was used to
create a particular artifact?

I'm particularly concerned about dependencies. Profiles can change
dependencies, so the runtime and compile time classpath might depend
on the active profile.


--
Elliotte Rusty Harold
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Profiles, builds, and repositories

Bernd Eckenfels
Hello,

Yes profiles can severely affect the content of a build artifact and there is no way to tell the used profile in the Maven repo. This is generally the reason why it should not be used to influence the released build artifacts and can also not be relied upon.

Gruss
Bernd


--
http://bernd.eckenfels.net
________________________________
Von: Elliotte Rusty Harold <[hidden email]>
Gesendet: Friday, January 24, 2020 6:22:17 PM
An: Maven Developers List <[hidden email]>
Betreff: Profiles, builds, and repositories

Is it possible for a profile to materially affect what gets installed
in a repository, particularly the central repo?

I'm not concerned about minutiae like builds times and other details
the reproducible build work is concerned with. I'm talking about more
major things like which classes are and are not in a jar.

My gut is that this is possible because profiles can change plugins
and plugins can do pretty much anything. Assuming that's so, is there
a way to tell from the data in the repo which profile was used to
create a particular artifact?

I'm particularly concerned about dependencies. Profiles can change
dependencies, so the runtime and compile time classpath might depend
on the active profile.


--
Elliotte Rusty Harold
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Profiles, builds, and repositories

Benjamin Marwell
There are cases where profiles must steer the build output though, although
they are rare.

For example, look at lmdb-native on GitHub. lmdb uses lots of native
methods. As they are building the jars containing the .so files from the
very same sources, they control the ci using profiles (Jenkins will build
Linux, circle will build osx, etc).
And there is a release profile, which will only deploy all previous built
jars.

As long as this task cannot be solved differently, please let profiles
influence the build output.

I'm open for other strategies, of course, as I am working on another
project with native libraries.

Ben




On Sat, 25 Jan 2020, 06:38 Bernd Eckenfels, <[hidden email]> wrote:

> Hello,
>
> Yes profiles can severely affect the content of a build artifact and there
> is no way to tell the used profile in the Maven repo. This is generally the
> reason why it should not be used to influence the released build artifacts
> and can also not be relied upon.
>
> Gruss
> Bernd
>
>
> --
> http://bernd.eckenfels.net
> ________________________________
> Von: Elliotte Rusty Harold <[hidden email]>
> Gesendet: Friday, January 24, 2020 6:22:17 PM
> An: Maven Developers List <[hidden email]>
> Betreff: Profiles, builds, and repositories
>
> Is it possible for a profile to materially affect what gets installed
> in a repository, particularly the central repo?
>
> I'm not concerned about minutiae like builds times and other details
> the reproducible build work is concerned with. I'm talking about more
> major things like which classes are and are not in a jar.
>
> My gut is that this is possible because profiles can change plugins
> and plugins can do pretty much anything. Assuming that's so, is there
> a way to tell from the data in the repo which profile was used to
> create a particular artifact?
>
> I'm particularly concerned about dependencies. Profiles can change
> dependencies, so the runtime and compile time classpath might depend
> on the active profile.
>
>
> --
> Elliotte Rusty Harold
> [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>