[Hawkular-dev] Timestamped SNAPSHOTs do not guarantee reproducibility
Peter Palaga
ppalaga at redhat.com
Tue Aug 18 12:10:35 EDT 2015
Hi again,
Today, I found that timestamped SNAPSHOTs do not guarantee reproducibility.
An example:
Let's have a simple war project [1] that depends on
hawkular-inventory-impl-tinkerpop
<dependencies>
<dependency>
<groupId>org.hawkular.inventory</groupId>
<artifactId>hawkular-inventory-impl-tinkerpop</artifactId>
<version>0.2.1-20150818.120735-14</version>
</dependency>
</dependencies>
Note that hawkular-inventory-impl-tinkerpop depends on another artifact
from the same group org.hawkular.inventory:hawkular-inventory-api
If we use version 0.2.1-20150818.120735-14 which happens to be the
*last* available snapshot in the repo [2], all is well: when we open the
war and check the Built-From-Git-SHA1 entries in MANIFEST.MF of
hawkular-inventory-impl-tinkerpop-*.jar and hawkular-inventory-api-*.jar
they both have the same value 90a594475048a7a81a5557a96ecd367cf6cc1d6c
But, let's say that we need to downgrade
hawkular-inventory-impl-tinkerpop to an older version 20150817.100338-13
for some reason:
<dependencies>
<dependency>
<groupId>org.hawkular.inventory</groupId>
<artifactId>hawkular-inventory-impl-tinkerpop</artifactId>
<version>20150817.100338-13</version>
</dependency>
</dependencies>
The war file build with hawkular-inventory-impl-tinkerpop
20150817.100338-13 contains hawkular-inventory-impl-tinkerpop-*.jar with
Built-From-Git-SHA1 c41249a9e45e3d5ed2cf2299db09463e339105e0 which is
expected, but hawkular-inventory-api-*.jar has Built-From-Git-SHA1
90a594475048a7a81a5557a96ecd367cf6cc1d6c which corresponds to the latest
snapshot 0.2.1-20150818.120735-14 rather than 20150817.100338-13. This
makes the build non-deterministic.
Thanks,
-- P
[1] https://github.com/ppalaga/snapshottest/blob/master/pom.xml#L40
[2]
https://repository.jboss.org/nexus/content/groups/public/org/hawkular/inventory/hawkular-inventory-impl-tinkerpop/0.2.1-SNAPSHOT/
On 2015-08-17 18:43, Peter Palaga wrote:
> Hi *,
>
> I tried to use $subj for the first time today, and I must say $subj did
> not meet my expectations. Namely, the timestamps and buildNumbers are
> generated at the instant of deployment of the given artifact, which may
> lead to distinct timestampts of artifacts of the same group and same
> deploy operation.
>
> So, when I want to use the latest timestamped SNAPSHOT of Alerts in
> Hawkular, there is no single timestamped version that I could use for
> all Alerts artifacts that I manage using the property
> ${version.org.hawkular.alerts}. To use the latest timestamped version, I
> actually can remove the <version.org.hawkular.alerts> property
> altogether. I have to put the latest 0.4.0-SNAPSHOT literal to into all
> managed alerts artifacts
> (https://github.com/hawkular/hawkular/blob/master/pom.xml#L154 and
> https://github.com/hawkular/hawkular/blob/master/pom.xml#L161) then run
>
> mvn versions:lock-snapshots -Psnapshots
>
> and voila, it resolves the versions as follows:
>
> <dependency>
> <groupId>org.hawkular.alerts</groupId>
> <artifactId>hawkular-alerts-actions-email</artifactId>
> <version>0.4.0-20150817.111158-17</version>
> <type>war</type>
> </dependency>
>
> <dependency>
> <groupId>org.hawkular.alerts</groupId>
> <artifactId>hawkular-alerts-rest</artifactId>
> <version>0.4.0-20150817.111150-18</version>
> <type>war</type>
> </dependency>
>
> Here, you can clearly see that the timestamped versions are not the same.
>
> This guarantees the reproducibility of the builds, but I would not call
> it practical. Manual maintenance of these scattered version numbers will
> be error prone and cumbersome. One can use mvn versions plugin to handle
> the versions.
> http://www.mojohaus.org/versions-maven-plugin/examples/advancing-dependency-versions.html
>
> Can anybody see a way how to make the timestamped snapshots easier to use?
>
> Thanks,
>
> Peter
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>
More information about the hawkular-dev
mailing list