|
4 | 4 |
|
5 | 5 | Problems: |
6 | 6 | * Problem 1: Over- and misuse of dependency management. |
7 | | -* Problem 2: Limiting resolution (ie. "define resolvable space") |
| 7 | +* Problem 2: Augmenting resolution (ie. "define resolvable space" or "pass on extra info") |
8 | 8 | * Problem 3: Rogue dependencies. |
9 | 9 | * Problem 4: Performance and security issues due 1, 2 and 3. |
10 | 10 |
|
11 | 11 | ## Problem 1 |
12 | 12 |
|
13 | | -TBD |
| 13 | +Today many (big) projects provide BOMs for consumers to import, and those BOMs tend to be **huge**. |
| 14 | +The reason why these projects provide them is to "lock down" various direct and transitive |
| 15 | +dependency versions, as the library or project was "built with" these versions, and consumers |
| 16 | +should "carry on" working with these versions. |
| 17 | + |
| 18 | +On the other hand, these huge BOMs are in fact burden: imagine a consumer project that consumes |
| 19 | +such a huge project with 1000 modules (and even more locked versions for dependencies), but in fact |
| 20 | +it uses only a tiny portion of the huge project. It is doomed to "carry" thousands of entries |
| 21 | +only to utilize tiny amount of them. Moreover, how Resolver works, it make this |
| 22 | +work internally even more CPU and memory intensive, as dependency management list "just grows", |
| 23 | +as collection runs and list of them is appended with entries lifted from resolved POMs and kept |
| 24 | +distinct for each "path" in dependency graph, it basically explodes on large graphs. |
| 25 | + |
| 26 | +Conclusion: |
| 27 | +* Large scale (huge) BOMs are just bad: they clog Maven and Resolver for "what if it is used downstream". |
| 28 | + Is like shooting with a cannon onto mouse. Lumps "everything" onto consumer projects thay may want |
| 29 | + only tiny portion of it. |
| 30 | +* THe **`import`** scope hack is bad, many times confuses users. Moreover, the `import` scope |
| 31 | + **does not and never did** work in "Maven way" (it is first comes wins instead). |
14 | 32 |
|
15 | 33 | ## Problem 2 |
16 | 34 |
|
17 | | -TBD |
| 35 | +Consider Maven Plugins: each one was fully resolved, just to be embedded and run within Maven |
| 36 | +you are running. Long time ago, after the build, users would end up with multiple (half of dozen |
| 37 | +if not tens of it) versions of `maven-core` in their local repository, as each version of each plugin it depended on was |
| 38 | +resolved (downloaded, checksum calculated and so on) only to **be excluded** from plugin classpath |
| 39 | +when it runs (as running Maven provides the needed bits). Later on in 3.9.x timeframe, the plugin tools were improved, |
| 40 | +and plugins started declaring `maven-core` and other dependencies with `provided` scope, but this |
| 41 | +is in fact a hack. Also, this delegates the knowledge from Maven Core developers to Maven Plugin developers, |
| 42 | +to figure out what is provided and what is not provided (not everything in `/lib` is exported!). |
| 43 | +Moreover, in case you need `maven-resolver-util` on classpath, but also you |
| 44 | +want or need to support Maven 3.8.x and also Maven 3.9.x, one **must** declare this very one dependency |
| 45 | +as `compile` scoped dependency (while others like `maven-resolver-api` left in `provided` scope). |
| 46 | +These "tricks" are just bad. |
| 47 | + |
| 48 | +Plugin Tools provides here some "faint" heuristic, that is also annoying that warns users with |
| 49 | +dependencies in "wrong scopes". Am looking at things like `maven-archiver`. |
| 50 | + |
| 51 | +Conclusion: |
| 52 | +* In this case we force plugin developers to figure out things that are Maven internals, combined |
| 53 | + with exported packages and artifacts, that is not trivial. And this happens build time. |
| 54 | +* Why all this is not sorted at runtime? What if Maven would be "self-aware" of its own constituents, |
| 55 | + and plugin developers just depend on things they need and runtime figures out what to resolve and |
| 56 | + and what not to resolve? |
18 | 57 |
|
19 | 58 | ## Problem 3 |
20 | 59 |
|
21 | | -TBD |
| 60 | +You built, tested and published a library to Maven Central. Hence, you can go to sleep, right? |
| 61 | + |
| 62 | +But someone may pick up your library, with completely different setup, configuration and environment, |
| 63 | +and end up with totally different outcome. |
22 | 64 |
|
23 | 65 | ## Problem 4 |
24 | 66 |
|
|
0 commit comments