Scot, you're perhaps lacking some imagination.
I'd concur 100%.
I can see that in an open source development model it would be a tremendous waste of resources on SourceForge, etc, to redundantly store all the dependencies of each project in each project rather than have some means of cross-referencing.
For those of us not in that world, however, this concern is minuscule whereas having all our dependencies exactly as we had them at each point in time, labeled in our source control system, etc, is much more important.
I probably go to extremes here as I keep the full source distributions around and source controlled as well -- so I can quickly look back at any point in time and look at the appropriate sources for any dependencies without having to go track them down again (or relying upon sites to still be up, etc).
All-in-all I see Maven as an economy of scale tool for open source development -- but of little interest to those needing solid control and traceability.
Call me control freak but I never liked the idea of someone out there managing the libraries I use. I want to be able to check out a project version of two years ago and do a build as I did then. I might compromise on things like the JDK and Ant, storing their versions as references instead of checking them in (there is some trust there), but I wouldn't dare relying on external sources for every single library I use (my trust doesn't extend into e.g. Maven repositories) -- so I like building JARs with a dump of the Ant properties (thus getting Ant and JDK versions and probably also the VCS revision since I pulled that out somewhere) and all libraries are checked in completely with the JAR, a matching source zip, the licence and a little readme with version info and URL.
/lift/ committer (www.liftweb.net)
> Call me control freak but I never liked the idea of someone out thereBut that's the beauty of it. When versioning of projects is a major
> managing the libraries I use.
part of the language itself, ALL libraries are versioned as well, and
all source files carry inside them dependencies including versions.
Your project will use the same version of the same library until the
end of times, or, of course, until you dive in there and update them.
With tactical version numbering you can make the usual distinction
between api-compatible serious bug and security fixes which do get
automatically updated, minor updates which you do or don't want to
auto-use, and major updates that you have to manually confirm. Even if
in virtually 100% of the circumstances it'll just work (due to the
advanced support for letting libraries integrate with their own old
versions). The usual repository flexibility would of course be there
so that you can clone the stuff you need from the main repository and
keep everything 'in house' if you don't trust the main repository too
much or some such.
I don't want to get hung up on details here. Such issues can be fixed.
>I don't have that much experience with Maven myself. Does maven not
> Everyone who did serious development with Maven seems to have ended up
> spending a lot of work doing lockdowns of dependencies and Maven plugins. It
> sounds pretty scary to me, although I have to admit that I never got beyond
> the "Hello World" stage with Maven myself (probably because I'm such a
> control freak or wuss).
allow you to make a reference to a specific version or some such?
Personally I'd say that, given that all APIs are versioned one way or
another, any system that doesn't allow you to specify the target
version is broken by design.
> On Jan 19, 2008 5:35 AM, Reinier Zwitserloot <rein...@gmail.com> wrote:
>
> I guess I was jumping the gun a little bit -- in the end it comes down to a
> question of trust, not technology. I trust some Linux distributions enough
> to run production servers using them, but with the whole Maven/Ivy story I
> still see two differences: (a) a culture/history of quality doesn't seem to
> be established and (b) a server can be replaced relatively easily, my
> product is more important to me.
Debian is currently in the process of including Maven and in the
longer run including some sort of controlled repository (or mapping to
it) in its repositories. That should be good enough. Until then
nothing stops you from running your internal repository server and
controlling it all internally down to the version of each transitive
dependency. Doing that with maven is still way better than doing it
without IMHO...
> Can I see it working? Yes, but I would need a lot of trust in the
> organization or community providing that service. It's not only about
> getting it right in the first place (right dependencies, properly build
> libraries) but also about maintaining the structure and contents for a long
> time. I want to be able to keep building the same thing for a number of
> years, so I have to rely on the system being able to produce the same
> dependencies and the same libraries with the same API (since I will have an
> old build configuration in my VCS).
which maven can do just fine...
>> > Everyone who did serious development with Maven seems to have ended up
>> > spending a lot of work doing lockdowns of dependencies and Maven
>> plugins. It
>> > sounds pretty scary to me, although I have to admit that I never got
>> beyond
>> > the "Hello World" stage with Maven myself (probably because I'm such a
>> > control freak or wuss).
>>
>> I don't have that much experience with Maven myself. Does maven not
>> allow you to make a reference to a specific version or some such?
Yes it does. It also allows you to control transitive dependencies
where necessary as well as controlling the repository everything is
retrieved from..
manfred
Quoting Peter Becker <peter.b...@gmail.com>:
> On Jan 19, 2008 5:35 AM, Reinier Zwitserloot < rein...@gmail.com> wrote:
>> I guess I was jumping the gun a little bit -- in the end it comes down to aDebian is currently in the process of including Maven and in the
> question of trust, not technology. I trust some Linux distributions enough
> to run production servers using them, but with the whole Maven/Ivy story I
> still see two differences: (a) a culture/history of quality doesn't seem to
> be established and (b) a server can be replaced relatively easily, my
> product is more important to me.
longer run including some sort of controlled repository (or mapping to
it) in its repositories. That should be good enough. Until then
nothing stops you from running your internal repository server and
controlling it all internally down to the version of each transitive
dependency. Doing that with maven is still way better than doing it
without IMHO...
> Can I see it working? Yes, but I would need a lot of trust in thewhich maven can do just fine...
> organization or community providing that service. It's not only about
> getting it right in the first place (right dependencies, properly build
> libraries) but also about maintaining the structure and contents for a long
> time. I want to be able to keep building the same thing for a number of
> years, so I have to rely on the system being able to produce the same
> dependencies and the same libraries with the same API (since I will have an
> old build configuration in my VCS).
Yes it does. It also allows you to control transitive dependencies
>> > Everyone who did serious development with Maven seems to have ended up
>> > spending a lot of work doing lockdowns of dependencies and Maven
>> plugins. It
>> > sounds pretty scary to me, although I have to admit that I never got
>> beyond
>> > the "Hello World" stage with Maven myself (probably because I'm such a
>> > control freak or wuss).
>>
>> I don't have that much experience with Maven myself. Does maven not
>> allow you to make a reference to a specific version or some such?
where necessary as well as controlling the repository everything is
retrieved from..
Alexey
2001 Honda CBR600F4i (CCS)
1992 Kawasaki EX500
http://azinger.blogspot.com
http://bsheet.sourceforge.net
http://wcollage.sourceforge.net
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ