--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I thought the best way to handle this in maven was via dependencyManagement where you can state that "let's always use version 1.1 for C".
I think locking down a given version as in the C 1.1 case isn't that bad. Certainly not worse than randomly picking whatever gets resolved last.
How is you suggestion safer? Perhaps I am missing the point?
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
And if you forget to exclude C from X what happens then?
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
And if you forget to exclude C from X what happens then?
> By default, Maven does not care about these conflicts, it packs both versions of library C into the Classpath
I'd like to correct this statement. Maven always uses only one version
of each dependency. The rules to determine the exact version are
somewhat complicated
(https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Transitive_Dependencies)
but deterministic.
And as Henrik pointed out it is always possible to
lock the exact version of any transitive dependency.
Using excludes and maven-enforcer-plugin to prevent conflicting
versions is possible but it very quickly becomes complicated when
number of dependencies grows. Transient dependencies of transient
dependencies makes things even more complicated. To be honest I have
never seen excludes being used this way.
On 3 August 2016 at 14:39, Fabian Stäber <fabian....@gmail.com> wrote:
> On Wednesday, August 3, 2016 at 2:46:10 PM UTC+2, Henrik Johansson wrote:
>>
>> And if you forget to exclude C from X what happens then?
>>
>>
>
> My opinion is: The build should fail if you forget to exclude C from X. This
> forces the user to explicitly resolve all conflicts. No conflict should be
> resolved automatically, and no version should be implicitly set by some
> global parameter.
>
> That's exactly what happens if you use the maven-enforcer-plugin in Maven,
> and in my experience this is a good thing.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Go Package Management" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-package-management+unsub...@googlegroups.com.
> email to go-package-management+unsub...@googlegroups.com.
Dependency resolution in Maven when version ranges are not used is
fairly straightforward:
- if a project explicitly defines a version in dependencyManagement
section use this version
- otherwise choose the first version that is found by BFS when
traversing dependencies graph
This algorithm never fails to resolve versions but of course can
select wrong versions and result in compile or runtime errors. If this
happens it is always possible (and recommended) to specify versions
explicitly though.
It gets much more complicated with version ranges. The exact behaviour
is not fully documented and there are some edge cases that are not
handled very well (like this
https://issues.apache.org/jira/browse/MNG-3092 ticket open for 9
years!).
When using version ranges:
- the build can fail because version ranges of a transient dependency
do not overlap
- maven finds the latest version from the overlapping range
- the build can be non-reproducible as it relies on the versions
available in the remote repository.
Fortunately version ranges are used very rarely. In fact I have never
used version ranges with Maven and don't recall any project that used
them.
I doubt the usefulness of version ranges. The way they are resolved
are often hard to explain
and often they lie to users. For example:
- specifying >=1.2.7 when 1.3.0 doesn't even exist. What if 1.3.0 (or
1.2.8) is not backward compatible?
- specifying >= 1.2.7 <= 1.2.12. Has the library been tested with all
5 versions (1.2.7, 1.2.8, ....)? Most of the time not.
And when 1.2.13
is out it might still be compatible, so the version range
unnecessarily prevents 1.2.13 from being used.
>> > email to go-package-management+unsub...@googlegroups.com.
>> > To post to this group, send email to go-package...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Go Package Management" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-package-management+unsub...@googlegroups.com.
Hi,
I just came across this discussion, and would like to share my experience as a Java developer:
The main problems we have in many projects are version conflicts with transitive dependencies:
Library A depends on Library C version 1.0
Library B depends on Library C version 1.1
You want to use Library A and Library B.
By default, Maven does not care about these conflicts, it packs both versions of library C into the Classpath, and it is kind of random which one will be used at runtime. This often results in hard-to-find run-time errors.
Therefore, many Java developers use the `maven-enforcer-plugin` which can be configured to make the build break if version conflicts are detected.
Maven supports an `exclude` option to selectively disable transitive dependencies. For example, you could configure Maven to use Library A, but `exclude` the dependency to Library C.
With the `maven-enforcer-plugin` enabled, you are forced to use `excludes` to manually resolve dependency conflicts, otherwise you cannot build the project. This is sometimes a painstaking process, but it is the best solution i'm aware of.
My opinion: I find transitive dependencies useful and would recommend to enable them by default. However, I also find it useful to break the build and force the user to fix it as soon as any conflict occurs.
/Fabian
The lesson that GB took from maven is that dependencies should specify only the things they depend on, not which version. It's up to the project that integrates all that code to decide on which single version of a jar will be compiled against and available on the computed class path.
In go, we get the first part of this sorry for free, the import decl already tells us _what_ is the name of the package this code depends on, all that is missing is _which_ copy (or version if you're being imprecise) should be used.
Just because it's possible does not in any way make it a good idea and I don't see why tools should continue to enable this.
No.
There is no solution that really scales and having this problem in the first place is not a positive thing to have. It involves unwarranted complexity.
A good write up on this: https://blogs.msdn.microsoft.com/eric_brechner/2015/06/30/diamond-dependencies/
Using SAT solvers for this is not a scalable nor very good solution. We shouldn't get into this in the first place. It involves more upfront effort of course.But for a cleaner, more maintainable overall architecture.
Hi Dave.
>> ... dependencies should specify only the things they depend on, not which version. It's up to the project that integrates all that code to decide on which single version of a jar will be compiled against and available on the computed class path.
OK on a single version per project, but how do you propose that the project manager tool select (or validate) the version to use (or being used)?
For example: What if my project imports package A, but I need an older version (1.x) because a recent API change (2.x) of A isn't compatible with my project's code. I would expect the project manager tool to verify that the version selected is "legal" per this constraint. So where is the constraint stated by package A’s author?
John
John Souvestre - New Orleans LA
--
In the maven world it is done by hand, by copying and pasting the xml stanza into your project pom.
In the gb world it is done by putting the source of the package in your $PROJECT/vendor/src folder.
I stand by my statement that I disagree with the claims that were made. Feel free to disagree too without having to dictate how I express myself, thank you.
It's funny that you disagree because all the evidence you need is the Go tree.
SAT solvers are not needed. I could give the example of other ecosystems (canonical example being cabal).
If one of your attempted solution to the problem was to introduce SAT solving, indeed I understand that my wording may have been a bit hurtful and for this I apologize.
Hi Dave.
>> So where is the constraint stated by package A's author?
> In the gb world it is done by putting the source of the package in your $PROJECT/vendor/src folder.
I don’t understand. The author of package A doesn't know anything about my project. Where do you propose that he state the constraint (version number) for his package?
John
John Souvestre - New Orleans LA
Two things
- go packages have no notion of version because we have no release process, so there no way for a library author to tell a downstream consumer which version they should use.
- gb doesn't have a solution to this at the moment either, because of the first point.
All you can do is get some source, and put it in your vendor folder and hope for the best.
Two things
- go packages have no notion of version because we have no release process, so there no way for a library author to tell a downstream consumer which version they should use.
Hi Dave.
> Please understand, nobody is more tired of hearing this little stump speech than me.
Sorry, but I don't think that you addressed the question I asked. So forgive me if I try again.
> - go packages have no notion of version because we have no release process, so there no way for a library author to tell a downstream consumer which version they should use.
I'm not asking how a library author would tell a consumer which version to use. I'm asking how the author would say what version his library is.
> All you can do is get some source, and put it in your vendor folder and hope for the best.
I believe that we can do better in the future. :)
If I understand the question you asked, that is proposal/12302.
If I didn't answer you question, could you please ask it in a different way.
Thanks
Hi Dave.
> If I understand the question you asked, that is proposal/12302.
Yes, thanks. I see:
>> Source code is released by tagging (eg. git tag) the VCS repository with a string representing a SemVer compatible version number for that release.
OK.
> If I didn't answer you[r] question, could you please ask it in a different way.
You did. But I have a follow-up. :)
>> The lesson that GB took from maven is that dependencies should specify only the things they depend on, not which version.
Do I understand correctly that you feel that my project code should not include a constraint that only version 1.x of package A (from my previous example) is allowed? No automatic alert should someone should later replace (in my project) package A version 1.x with 2.x?
Hi Dave.
> If I understand the question you asked, that is proposal/12302.
Yes, thanks. I see:
>> Source code is released by tagging (eg. git tag) the VCS repository with a string representing a SemVer compatible version number for that release.
OK.
> If I didn't answer you[r] question, could you please ask it in a different way.
You did. But I have a follow-up. :)
>> The lesson that GB took from maven is that dependencies should specify only the things they depend on, not which version.
Do I understand correctly that you feel that my project code should not include a constraint that only version 1.x of package A (from my previous example) is allowed? No automatic alert should someone should later replace (in my project) package A version 1.x with 2.x?
Hi Dave.
Sorry for my misinterpretation. I'm having some trouble fully understanding what you said.
If code in my project would not specify the dependency (version 1.x of package A), then how would my project's package manager be aware of it?
John
John Souvestre - New Orleans LA
From: Dave Cheney [mailto:da...@cheney.net]
Sent: 2016 August 08, Mon 20:17
To: John Souvestre; Go Package Management
Subject: Re: [go-pm] Re: Transitive dependencies
On Tue, 9 Aug 2016, 10:55 John Souvestre <jo...@souvestre.com> wrote:
Hi Dave.
> If I understand the question you asked, that is proposal/12302.
Yes, thanks. I see:
>> Source code is released by tagging (eg. git tag) the VCS repository with a string representing a SemVer compatible version number for that release.
OK.
> If I didn't answer you[r] question, could you please ask it in a different way.
You did. But I have a follow-up. :)
>> The lesson that GB took from maven is that dependencies should specify only the things they depend on, not which version.
Do I understand correctly that you feel that my project code should not include a constraint that only version 1.x of package A (from my previous example) is allowed? No automatic alert should someone should later replace (in my project) package A version 1.x with 2.x?
Respectfully I think this conversation is going in circles and there is nothing more I can usefully add. Thank you for your understanding.
Thank you for your time.
John
John Souvestre - New Orleans LA
From: Dave Cheney [mailto:da...@cheney.net]
Sent: 2016 August 08, Mon 22:25
To: John Souvestre; Go Package Management
Subject: Re: [go-pm] Re: Transitive dependencies
Respectfully I think this conversation is going in circles and there is nothing more I can usefully add. Thank you for your understanding.
The way it worked in maven world is you would have a parent pom (your
project), child poms (if you built your project out of various
libraries), and the poms they depended on would specify the artefact
name and group id (basically a fully qualified name) but _not_ include
the version field. That field was provided by the parent pom by
specifying all three. In effect the project has to specify the fully
qualified name _and_ the version of every transitive dependency.
Which is exactly what gb does, but without the xml and brass band.