FWIW, CWP and Evergreen are using (no enforcement/checker yet, so there's probably smallish discrepancies) both use the Bill Of Materials JEP-309: https://github.com/jenkinsci/jep/tree/master/jep/309. So we already have the standard format defined. So we should all use it. And if by chance it's deemed to miss some things, then JEP-309 should just be amended so that we agree on something. I agree with Nicolas De Loof this subject of handling Jenkins dependencies is becoming wasteful, fluffier and fluffier with all these variants, and should become a tool on its own so that people stop rewriting the (square) wheel everywhere. I've thought about all this just a bit and I wonder technically this should be:
- I find a tool like this would be good to be usable everwhere easily using CLI, so writing it in Go seems a good direction
- at the same time, Jenkins ecosystem and consumers would probably need it in Java. Ideally, in that case, even Jenkins core associated logic could be extracted (cannot judge of the associated complexity though) so that really everyone use the same resolver tool.
Like for Maven dependencies, we need a tool able to:
- compute a dependency tree without (or with as few as possible) downloads
- download a whole dependency tree (including optional dependencies or not, here lies some combinatorial too).
|