Thursday, May 31, 2007

[Tech] Maven and "public" Repositories

I have written already about build-automation in this BLOG, and I think I made my point clear, that I love the concept of Maven (2) and really think it is a great tool and a significant step forward in build automation.

Right, after this introduction a "but" has to follow; at least a "however": However, Maven is building upon public repositories like ibiblio and the central Maven repository from Apache, at least as long as open-source projects are involved. Now, despite of the fact that some of the repository servers apparently had some problems once in a while, there are a lot of open source projects on those servers where the pom files are questionable at best. The last example I personally figured was JMock, where the described pom settings do not work and some months ago a Springframework version with iBatis where specific iBatis versions were demanded that could not be found on public servers (whereas to the best of my knowledge also the ones available on the servers would have done).

Now usually one would say, this is the problem of the very project, and just hits the reputation of this project if the documentation or build configuration is made sloppy. Unfortunately this is not the case when Maven 2 is concerned. The reason simply is, that other projects that do depend on such a project with sloppy POMs is now running into problems, and the whole Maven build idea suffers.

I personally really would ask all developers using Maven, who provide projects with POMs "in the wild" to be careful with the POM settings, that are uploaded for public usage. I am not a hardcore Maven expert, really , but I think some guidelines/best-practices to check the validity of a Maven POM should be suggested, I would start with some initial thoughts here:
  • Check XML for well-formedness and POM File syntax
  • Check if really all dependencies declared are really needed (not just drop anything in that might be needed, and remove "historic legacy")
  • Test your pom on a clean local repository!
Any other thoughts?

Additionally I want to suggest a tool that checks public repositories for invalid POMs, if e.g. a student would like to program that as a student-project, please contact me!

No comments: