Hi guys,
I'm seeing some AttributeKey ID collisions for pgp-signer etc since sbt-pgp 0.8 came out.
What do you guys think about incorporating it as part of sbt 0.13?
sbt-pgp is now an essential part of ecosystem, since many OSS projects who
don't have their own repo publish to Sonatype as signed jar, which is overall a good thing.
sbt-pgp 0.8 came out a few months ago, adding publish-signed instead of just signing everything,
which also was smooth, in the parlance of our times.
But now we have half the OSS projects depending on sbt-pgp, and some plugin or build may even make
explicit reference to a particular version of it to customize the release behavior,
resulting to diamond inheritance problem.
[error] AttributeKey ID collisions detected for: 'pgp-signer' (sbt.Task[com.typesafe.sbt.pgp.PgpSigner], sbt.Task[com.jsuereth.pgp.sbtplugin.PgpSigner]), 'pgp-verifier' (sbt.Task[com.typesafe.sbt.pgp.PgpVerifier], sbt.Task[com.jsuereth.pgp.sbtplugin.PgpVerifier]), 'check-pgp-signatures' (sbt.Task[com.typesafe.sbt.pgp.SignatureCheckReport], sbt.Task[com.jsuereth.pgp.sbtplugin.SignatureCheckReport]), 'signatures-module' (sbt.Task[com.typesafe.sbt.pgp.GetSignaturesModule], sbt.Task[com.jsuereth.pgp.sbtplugin.GetSignaturesModule])
[error] Use 'last' for the full log.
It's not like a project or a plugin needs more feature than the other, they just need to agree on a version.
One solution is to say "only use sbt-pgp from global" but if someone needs to tweak releasing, that's probably not reasonable.
Another solution is to say "then at least use the latest version." That also won't work since binary versioning of sbt,
a build or a plugin can now live a long life, and some build may be using older plugins that references sbt-pgp.
The real solution, I think is that sbt-pgp becomes part of the sbt 0.13. This way, I can do my things in global,
and other projects can do their things in build.sbt, and it'll always be the same version since globals will be version-segregated.
-eugene