incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ate Douma <>
Subject Re: Third party Maven Repository Usage
Date Tue, 23 Mar 2010 17:23:34 GMT
On 03/23/2010 01:01 AM, Kevan Miller wrote:
> On Mar 20, 2010, at 4:45 PM, Brian Fox wrote:
>> At the Central repository we are restricting the inclusion of external
>> repositories because this generally creates a mess. This is being
>> enforced on new artifacts coming in so I would recommend you do not
>> add them or your artifacts themselves will end up blocked. A better
>> choice is to encourage the missing dependency projects to get their
>> stuff into Central, or find some compatible libraries that are.
> Interesting. That's news to me... You have a pointer to more information?
This definitely is news to me as well.
Other than the link provided by the original poster,,
I can't find 
much about this new policy, nor much details.

While I clearly support the goal of improving Central repository quality, this solution really
caught me by (unpleasant) surprise and raises 
several questions which I would like to get answered.

* Unclear from the documentation is if this restriction on external repositories is limited
to only the repository definitions in a pom, or 
if it is (or will be) extended to dependency resolving as well.
If not all dependencies can be resolved to Central itself, would that be "flagged" too and
also cause blocking the artifact(s) ?

* At what stage is this policy "enforced"? I'm thinking of Apache Repository when we deploy
and release. Would a violation of this policy 
already be noticed (and reported) while doing a staging release, or only at the final release
to Maven Central?
The latter clearly would be too little too late IMO.
Note: we're using Apache Repository for snapshot deployments right now, and I haven't seen
any "warning" about us referencing external 

* Does this new policy also affect the processing and handling of the "legacy" rsync repositories
at /www/
If it does, or even only partly, please let us know how and to what extend.
Note: we're planning a bugfix release shortly of an older version of Jetspeed-2, version 2.1.4
(Apache Portals).
That version of Jetspeed-2 doesn't and cannot use the new Apache master pom nor Apache Repository
as it would require too major changes for 
the whole project configuration itself. The current Jetspeed-2 version 2.2.0 has been released
through Apache Repository, and we're planning 
a new release 2.2.1 shortly too. However, for Jetspeed 2.1.4 we'll still have to use the "legacy"
rsync procedure.
For both these versions we depend on a few external repositories and dependencies and having
to "fix" those (shortly) really will pose a 
problem for us.

* A policy change like this will IMO affect and *restrict* any and all Apache maven build
based projects who want or are supposed to deploy 
to Maven Central. *Apache* policy does not in any way restrict (maven) dependencies on external
repositories as long as the ASL license is 
honored. For whatever reason, this new Maven Central policy now seems to require all external
dependencies be (at least also) be available 
from it.

* Where, when, and by whom is this new policy discussed and decided upon? Or was this merely
something that happened "overnight"?
As this policy affects (at least) all ASF maven based projects, its seems to me something
which should not be decided within only the Maven 
*project* alone.

I'm not so sure this really is desired nor if it will lead to the intended goal.

As I understand it, this policy requires *all* maven artifacts anyone (and especially ASF
projects) would like to build against, to be 
deployed in Maven Central. While other external repositories surely can and may exist, not
so for Maven Central.
I honestly don't see how that can end up as a good solution. A single monolithic repository
to "rule them all" just doesn't seem right to me.
What about other, generally respected and IMO also fine repositories like
By excluding them, we're cutting off a large potential of code reuse and community benefits,
or otherwise putting a large burden on those 
depending on such external projects by forcing them to dual deploy to Maven Central as well.

I can imagine for some or many of those "external" repository project owners, or the users
needing their artifacts, this burden is too much 
to ask. Which could mean they will start ignore Maven Central all together and instead start
or increase deploying (duplicating) their 
artifacts elsewhere.

For Apache projects who "follow the guidelines", meaning leveraging Apache Repository and
the Apache master pom configuration to streamline 
and "automate" the Apache release process, going "elsewhere" is not really an option.
They will have to fix all these external (repository) dependencies, if even possible *just
for the sake of Maven Central, or else indeed 
"cut the cord" and go "independent"...

I really hope I'm missing the point here and none of this is going to cause much trouble after
Please enlighten me!



> --kevan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message