Plugin Versions in the Super pom

> I know it's been discussed before in the context of various other issues
> and solutions, but I want to discuss locking down core plugins in the
> super pom _for_ 2.0 _only_.
>
>
>
> Normally we get into some large protracted discussions about better
> solutions and drawbacks/benefits of them, meanwhile the users suffer the
> wrath of auto plugin updates. Considering the amount of time I spent
> writing the enforcer requirePluginVersions rule, you can safely assume
> you don't need to convince me that the _right_ way is to lock them down
> in your poms. I already believe that. I also think that there is
> probably a better solution, whether it's plugin packs (which I don't
> agree with at this point) or something else. We can agree that whatever
> else it is that may be done will come in 2.1 and for a large portion of
> users 2.1 in production is a long way off and we continue to suffer "bad
> press" about the instability of Maven in the mean time. So I'd like to
> put those discussions aside for now and simply discuss the ramifications
> of defaulting the core plugin versions in the super pom in 2.0 only.
>
>
>
> I see two main benefits:
>
> 1.      Those who have followed best practice and locked their versions
> down will not be affected by this at all. The normal inheritance rules
> will apply, and we'll put these versions into the pluginManagement
> section of the super pom.
>
> 2.      Those who have not locked their versions down will only be
> affected by gaining stability in between maven releases. If they want a
> new plugin before the next Maven release, they will have to follow the
> best practices and lock their version down to the new version. (this
> actually informs people and encourages them to learn how to do
> that...but when _they_ are ready to do it because they are motivated to
> grab a new release, not when they least expect it because we pushed out
> a plugin that broke their build)
>
> 3.      The change is very simple, can be done quickly and has little
> harm of creating more problems.
>
>
>
> The only drawback I can see is that it lulls people into a false sense
> of security because _less_ plugins auto update.... Not all of them.
> Certainly we won't lock down every  plugin in existence and those
> plugins will still be subjected to the auto update. Again, I'm not
> suggesting we solve the world here, but this is a simple step forward to
> reduce the impact of one of the most frequent complaints of the users.
>
>
>
> If you can think of some serious drawbacks to this approach, speak now
> for forever hold your peace ;-)
>
>
>
> --Brian
>
>
>
>
>
>

> On Feb 8, 2008 4:41 PM, Brian E. Fox <brianf@...> wrote:
>> I know it's been discussed before in the context of various other  
>> issues
>> and solutions, but I want to discuss locking down core plugins in the
>> super pom _for_ 2.0 _only_.
>>
>>
>>
>> Normally we get into some large protracted discussions about better
>> solutions and drawbacks/benefits of them, meanwhile the users  
>> suffer the
>> wrath of auto plugin updates. Considering the amount of time I spent
>> writing the enforcer requirePluginVersions rule, you can safely  
>> assume
>> you don't need to convince me that the _right_ way is to lock them  
>> down
>> in your poms. I already believe that. I also think that there is
>> probably a better solution, whether it's plugin packs (which I don't
>> agree with at this point) or something else. We can agree that  
>> whatever
>> else it is that may be done will come in 2.1 and for a large  
>> portion of
>> users 2.1 in production is a long way off and we continue to suffer  
>> "bad
>> press" about the instability of Maven in the mean time. So I'd like  
>> to
>> put those discussions aside for now and simply discuss the  
>> ramifications
>> of defaulting the core plugin versions in the super pom in 2.0 only.
>>
>>
>>
>> I see two main benefits:
>>
>> 1.      Those who have followed best practice and locked their  
>> versions
>> down will not be affected by this at all. The normal inheritance  
>> rules
>> will apply, and we'll put these versions into the pluginManagement
>> section of the super pom.
>>
>> 2.      Those who have not locked their versions down will only be
>> affected by gaining stability in between maven releases. If they  
>> want a
>> new plugin before the next Maven release, they will have to follow  
>> the
>> best practices and lock their version down to the new version. (this
>> actually informs people and encourages them to learn how to do
>> that...but when _they_ are ready to do it because they are  
>> motivated to
>> grab a new release, not when they least expect it because we pushed  
>> out
>> a plugin that broke their build)
>>
>> 3.      The change is very simple, can be done quickly and has little
>> harm of creating more problems.
>>
>>
>>
>> The only drawback I can see is that it lulls people into a false  
>> sense
>> of security because _less_ plugins auto update.... Not all of them.
>> Certainly we won't lock down every  plugin in existence and those
>> plugins will still be subjected to the auto update. Again, I'm not
>> suggesting we solve the world here, but this is a simple step  
>> forward to
>> reduce the impact of one of the most frequent complaints of the  
>> users.
>>
>>
>>
>> If you can think of some serious drawbacks to this approach, speak  
>> now
>> for forever hold your peace ;-)
>>
>>
>>
>> --Brian
>>
>>
>>
>>
>>
>>
>
>
>
> --
> I could give you my word as a Spaniard.
> No good. I've known too many Spaniards.
>                             -- The Princess Bride
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>

>
> I know it's been discussed before in the context of various other issues
> and solutions, but I want to discuss locking down core plugins in the
> super pom _for_ 2.0 _only_.
>
>
>
> Normally we get into some large protracted discussions about better
> solutions and drawbacks/benefits of them, meanwhile the users suffer the
> wrath of auto plugin updates. Considering the amount of time I spent
> writing the enforcer requirePluginVersions rule, you can safely assume
> you don't need to convince me that the _right_ way is to lock them down
> in your poms. I already believe that. I also think that there is
> probably a better solution, whether it's plugin packs (which I don't
> agree with at this point) or something else. We can agree that whatever
> else it is that may be done will come in 2.1 and for a large portion of
> users 2.1 in production is a long way off and we continue to suffer "bad
> press" about the instability of Maven in the mean time. So I'd like to
> put those discussions aside for now and simply discuss the ramifications
> of defaulting the core plugin versions in the super pom in 2.0 only.
>
>
>
> I see two main benefits:
>
> 1.      Those who have followed best practice and locked their versions
> down will not be affected by this at all. The normal inheritance rules
> will apply, and we'll put these versions into the pluginManagement
> section of the super pom.
>
> 2.      Those who have not locked their versions down will only be
> affected by gaining stability in between maven releases. If they want a
> new plugin before the next Maven release, they will have to follow the
> best practices and lock their version down to the new version. (this
> actually informs people and encourages them to learn how to do
> that...but when _they_ are ready to do it because they are motivated to
> grab a new release, not when they least expect it because we pushed out
> a plugin that broke their build)
>
> 3.      The change is very simple, can be done quickly and has little
> harm of creating more problems.
>
>
>
> The only drawback I can see is that it lulls people into a false sense
> of security because _less_ plugins auto update.... Not all of them.
> Certainly we won't lock down every  plugin in existence and those
> plugins will still be subjected to the auto update. Again, I'm not
> suggesting we solve the world here, but this is a simple step forward to
> reduce the impact of one of the most frequent complaints of the users.
>
>
>
> If you can think of some serious drawbacks to this approach, speak now
> for forever hold your peace ;-)
>
>
>
> --Brian
>
>
>
>
>
>

>
> +1
>
> I've allready done similar "fix common plugins version" work in my
> corporate POM, with version set for all
> org.apache.maven.plugins and many org.codehaus.mojo.
>
> Recent release of surefire plugin demonstrates many users suffering from
> the "get latest" plugin policy, and some builds not beeing reproductible
> anymore.
>
> Nico.
>
>
> 2008/2/9, Brian E. Fox <brianf@...>:
> >
> > I know it's been discussed before in the context of various other issues
> > and solutions, but I want to discuss locking down core plugins in the
> > super pom _for_ 2.0 _only_.
> >
> >
> >
> > Normally we get into some large protracted discussions about better
> > solutions and drawbacks/benefits of them, meanwhile the users suffer the
> > wrath of auto plugin updates. Considering the amount of time I spent
> > writing the enforcer requirePluginVersions rule, you can safely assume
> > you don't need to convince me that the _right_ way is to lock them down
> > in your poms. I already believe that. I also think that there is
> > probably a better solution, whether it's plugin packs (which I don't
> > agree with at this point) or something else. We can agree that whatever
> > else it is that may be done will come in 2.1 and for a large portion of
> > users 2.1 in production is a long way off and we continue to suffer "bad
> > press" about the instability of Maven in the mean time. So I'd like to
> > put those discussions aside for now and simply discuss the ramifications
> > of defaulting the core plugin versions in the super pom in 2.0 only.
> >
> >
> >
> > I see two main benefits:
> >
> > 1.      Those who have followed best practice and locked their versions
> > down will not be affected by this at all. The normal inheritance rules
> > will apply, and we'll put these versions into the pluginManagement
> > section of the super pom.
> >
> > 2.      Those who have not locked their versions down will only be
> > affected by gaining stability in between maven releases. If they want a
> > new plugin before the next Maven release, they will have to follow the
> > best practices and lock their version down to the new version. (this
> > actually informs people and encourages them to learn how to do
> > that...but when _they_ are ready to do it because they are motivated to
> > grab a new release, not when they least expect it because we pushed out
> > a plugin that broke their build)
> >
> > 3.      The change is very simple, can be done quickly and has little
> > harm of creating more problems.
> >
> >
> >
> > The only drawback I can see is that it lulls people into a false sense
> > of security because _less_ plugins auto update.... Not all of them.
> > Certainly we won't lock down every  plugin in existence and those
> > plugins will still be subjected to the auto update. Again, I'm not
> > suggesting we solve the world here, but this is a simple step forward to
> > reduce the impact of one of the most frequent complaints of the users.
> >
> >
> >
> > If you can think of some serious drawbacks to this approach, speak now
> > for forever hold your peace ;-)
> >
> >
> >
> > --Brian
> >
> >
> >
> >
> >
> >
>

> > simply discuss the ramifications of defaulting the core plugin versions
> in
> > the super pom in 2.0 only.
>
> +1, might also spare users from learning yet another concept like
> "plugin-packs". If the super POM locks down all plugins that would be
> injected by one of the various lifecycle mappings and the user himself
> locks
> down any additional plugins he explicitly configured in the POM, why
> bother
> with something like "plugin-packs".
>
> Besides, I do not see much value in an attempt to pack/group plugins given
> the fact that each plugin has its own release cycle, i.e. there are more
> version combinations of plugins from which I want to choose than you want
> to
> provide plugin packs for.
>
> Last but least and please don't take this as an offense but if you are
> honest you have to confess that implementation of inheritance is
> buggy/complex enough. As a user interested in a stable build tool, I
> really
> dislike the idea of another concept that interferes with plugin
> resolution.
>
> > Those who have followed best practice and locked their versions
> > down will not be affected by this at all.
>
> The reality looks different: http://jira.codehaus.org/browse/MNG-3394
> As a prerequisite for the proposed additions to the super POM, this issue
> should be fixed.
>
> Regards,
>
>
> Benjamin Bentmann
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>
>

>> We advertise the hell out of it and people will discover it as they have a
>> problem that they resolve, can migrate to it as an upgrade process in their
>> company environments and we don't screw someone over with our benevolent
>> power.
>
> I think the biggest beef people have is that we are unstable by default. I don't think that requiring some action to get the versions locked is really going to help much. Otherwise we just continue to advertise the hell out of locking down your versions in the pom (which hasn't been working).
>
> --Brian
>
>

> I have to change my vote to -1 :
>
> Current maven behavior introduces some issues when plugin version is  
> not
> set. Many users got errors with this and learned to use version.
>
> Having maven super-POM set plugin version will make the build depend  
> on
> maven version used.
>
> Simple scenario :
>
> I create a project with maven 2.0.9, wich introduces superPOM
> with versionned plugins. My build is reproductible even when new  
> plugins are
> released. This DOESN't learn me best-practices about plugins  
> versionning.
>

>
>
>
> I got such scenario in REAL-WORLD projects using maven1 : maintenance
> developers (maven newbees) had errors when building the project ...  
> because
> maven 1.1 was installed as default on the developer environment, and  
> the
> project used maven 1.0.2 with some uncompatible plugins.
>
>
>
> I'd suggest another way to go :
>
> Change maven to read the POM <prerequisites> and warn when installed  
> maven
> ISN't the one expected (could it accept version ranges ?). Or  
> better : make
> maven core automatically downgrade to expected runtime jars ?
>

> Nico.
>
> 2008/2/9, nicolas de loof <nicolas@...>:
>>
>> +1
>>
>> I've allready done similar "fix common plugins version" work in my
>> corporate POM, with version set for all
>> org.apache.maven.plugins and many org.codehaus.mojo.
>>
>> Recent release of surefire plugin demonstrates many users suffering  
>> from
>> the "get latest" plugin policy, and some builds not beeing  
>> reproductible
>> anymore.
>>
>> Nico.
>>
>>
>> 2008/2/9, Brian E. Fox <brianf@...>:
>>>
>>> I know it's been discussed before in the context of various other  
>>> issues
>>> and solutions, but I want to discuss locking down core plugins in  
>>> the
>>> super pom _for_ 2.0 _only_.
>>>
>>>
>>>
>>> Normally we get into some large protracted discussions about better
>>> solutions and drawbacks/benefits of them, meanwhile the users  
>>> suffer the
>>> wrath of auto plugin updates. Considering the amount of time I spent
>>> writing the enforcer requirePluginVersions rule, you can safely  
>>> assume
>>> you don't need to convince me that the _right_ way is to lock them  
>>> down
>>> in your poms. I already believe that. I also think that there is
>>> probably a better solution, whether it's plugin packs (which I don't
>>> agree with at this point) or something else. We can agree that  
>>> whatever
>>> else it is that may be done will come in 2.1 and for a large  
>>> portion of
>>> users 2.1 in production is a long way off and we continue to  
>>> suffer "bad
>>> press" about the instability of Maven in the mean time. So I'd  
>>> like to
>>> put those discussions aside for now and simply discuss the  
>>> ramifications
>>> of defaulting the core plugin versions in the super pom in 2.0 only.
>>>
>>>
>>>
>>> I see two main benefits:
>>>
>>> 1.      Those who have followed best practice and locked their  
>>> versions
>>> down will not be affected by this at all. The normal inheritance  
>>> rules
>>> will apply, and we'll put these versions into the pluginManagement
>>> section of the super pom.
>>>
>>> 2.      Those who have not locked their versions down will only be
>>> affected by gaining stability in between maven releases. If they  
>>> want a
>>> new plugin before the next Maven release, they will have to follow  
>>> the
>>> best practices and lock their version down to the new version. (this
>>> actually informs people and encourages them to learn how to do
>>> that...but when _they_ are ready to do it because they are  
>>> motivated to
>>> grab a new release, not when they least expect it because we  
>>> pushed out
>>> a plugin that broke their build)
>>>
>>> 3.      The change is very simple, can be done quickly and has  
>>> little
>>> harm of creating more problems.
>>>
>>>
>>>
>>> The only drawback I can see is that it lulls people into a false  
>>> sense
>>> of security because _less_ plugins auto update.... Not all of them.
>>> Certainly we won't lock down every  plugin in existence and those
>>> plugins will still be subjected to the auto update. Again, I'm not
>>> suggesting we solve the world here, but this is a simple step  
>>> forward to
>>> reduce the impact of one of the most frequent complaints of the  
>>> users.
>>>
>>>
>>>
>>> If you can think of some serious drawbacks to this approach, speak  
>>> now
>>> for forever hold your peace ;-)
>>>
>>>
>>>
>>> --Brian
>>>
>>>
>>>
>>>
>>>
>>>
>>

> Brian E. Fox wrote:
>>> We advertise the hell out of it and people will discover it as  
>>> they have a
>>> problem that they resolve, can migrate to it as an upgrade process  
>>> in their
>>> company environments and we don't screw someone over with our  
>>> benevolent
>>> power.
>> I think the biggest beef people have is that we are unstable by  
>> default. I don't think that requiring some action to get the  
>> versions locked is really going to help much. Otherwise we just  
>> continue to advertise the hell out of locking down your versions in  
>> the pom (which hasn't been working).
>> --Brian
>
> A tiny inexperienced voice from the user side of things chiming in  
> here...
>
> For me, I am completely aware that I want to lock *everything* down  
> (including plugins) to have reproducible builds.  So marketing,  
> advertising, pleading with us, educating us is not the issue.
>
> The problem is not knowing or being able to keep up with the list of  
> what combination of plugins and maven versions work well together.
>
> Whether or not the list of plugin versions is in the super POM is  
> not the isue for me. It is the wisdom and experience of the person  
> who would make the choices of which versions of the plugins to put  
> in that default list that is the real value.
>
> In general I don't want to have to make those choices for every  
> plugin -- just the occasional exception for when I really need some  
> new feature or old compatibility.
>
> Either of two approaches would satisfy me:
>
> 1)  Benevolent dictators strongly suggest the list of plugin  
> versions which are thought to be stable together and that is in the  
> super POM or I just cut-n-paste the suggested list in there myself  
> from the web site.
>

> 2)  I just go ahead and try my build process using all the latest  
> plugin versions (current default behavior) and then when I see that  
> they all work together have some mechanism to freeze the list and  
> have the current versions (whatever they are) automatically written  
> into my POM without me having to sort through and figure out what  
> the versions are and manually insert them into the POM.  I would  
> want to be able to freeze the list not just at release time but at  
> any arbitrary time to stabilize the development environment for my  
> team.
>
>
> Thanks.
>
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>

>
>
> >I have to change my vote to -1 :
>
> >Current maven behavior introduces some issues when plugin version is
> not
> >set. Many users got errors with this and learned to use version.
>
> >Having maven super-POM set plugin version will make the build depend on
> >maven version used.
>
> Compare this change to the current behavior. People simply are not
> locking them down either because they don't know or they don't want to
> make huge xmls. (remember I still think locking them down is the right
> way to do it, but apparently the majority of the users don't/won't). So
> if we do nothing, they are just as likely to have un-reproducible builds
> with a later version of maven. And worse, they potentially break across
> developers because their machines have different versions and it changes
> suddenly without them having any interaction.
>
> What you point out is definitely a risk, but I see it as less harmful
> than the current method.
>
> --Brian
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>
>

>
> On Sat, 2008-02-09 at 09:04 -0800, Jason van Zyl wrote:
>> On 9-Feb-08, at 8:49 AM, Aaron Metzger wrote:
>>> For me, I am completely aware that I want to lock *everything* down
>>> (including plugins) to have reproducible builds.  So marketing,
>>> advertising, pleading with us, educating us is not the issue.
>
>> The code in the enforcer plugin can actually extract the versions  
>> that
>> were used as part of a build so we could turn this into something
>> people could use. John has also been working on a lifecycle plugin
>> which displays the information about the lifecycle which means we
>> could extract the information from that too and make a descriptor. So
>> we can test different combinations of plugins as they are released  
>> and
>> give those combinations to users in some controlled way.
>
> I think the idea of specifying versions in the "super pom" is
> pointless. Stability for a given release of maven is not particularly
> useful when many users are using different versions of maven to build
> something.
>
> It would be much more useful for maven 2.0.9 to simply *warn* when a
> plugin is found without a version.

> That's better than trying to
> "advertise" best practice via the maven website. Better yet, have it
> fail the build unless some kind of "override" option is present on the
> command-line. Isn't that part of what the enforcer plugin actually  
> does?
> If so, then why not make that a default plugin in maven 2.0.9, ie bind
> it to an appropriate phase by default?
>
> It would be also nice for maven to have the ability to dump the  
> versions
> of stuff it uses for any particular build, then allow later runs of
> maven to accept that dump-file as input to set the versions. That's a
> quick-fix for people who find 2.0.9 reporting errors on their builds  
> due
> to incomplete dependency versioning.
>
> I've personally never encountered a situation where one version of a
> plugin would not work with some other version of a different plugin.
> What I have found difficult is determining whether things *have* all
> been locked down or whether something has been missed.
>
> Regards,
> Simon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>

> On 2/10/08, Jason van Zyl <jason@...> wrote:
>> You're asking for a far more complicated solutions to be implemented
>> which generally aren't much more helpful. You're also conflating the
>> solution with what people should do and what they should actually be
>> doing. Yes, people should use versions for their plugins, but in the
>> absence of that putting the versions in the POM is the easiest
>> solution to provide the most stability, in most cases.
>
> Well said.  I'm really excited to see this discussion and the
> generally positive support for the proposal.  Providing stable,
> repeatable builds out of the box is such an important feature in a
> build tool.  As I understand it, you can still override the plugin
> versions in your own POMs, but for the vast Maven newbie public, this
> change would go a long ways to meeting expectations.
>

> Reproducible builds require the user himself to lock the plugin  
> versions in his own (corporate) POM, nobody else can do this.
>
> The changes to the super POM are all about improving (not solving)  
> the current situation for Maven 2.0.x. If we can agree on the  
> assumption that there are less different versions of Maven in use  
> than local repositories existent among the developers, the additions  
> in the super POM help to improve build reproducibility.
>
>> It would be much more useful for maven 2.0.9 to simply *warn* when a
>> plugin is found without a version. That's better than trying to
>> "advertise" best practice via the maven website. Better yet, have it
>> fail the build unless some kind of "override" option is present on  
>> the
>> command-line.
>
> For the sake of backward-compatibility within the 2.0.x development  
> line, one surely would not want to break the build here.
>
>> What I have found difficult is determining whether things *have* all
>> been locked down or whether something has been missed.
>
> You could run
> mvn clean deploy site-deploy -U
> and grep for "checking for updates" in the log output.
>
> Regards,
>
>
> Benjamin Bentmann
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>