My only concerns with this would relate to comitting this kind of src dependency to the
poms in the main branches in the widlfly/wildfly and wildfly/wildfly-core repos. We’ve
managed to survive up to now with little or no need for that kind of thing, so until we
get used to using this in other ways IMHO we should follow the KISS principle and forbid
A trick is avoiding doing that by mistake; i.e. a PR is sent up with a SRC dependency to
get CI or review and accidentally gets merged. But I suppose that’s not the end of the
world, so long as the release process will eventually detect it and fail.
Can making srcdeps fail (or just disabling it) be turned on via a maven profile? With that
we could set up such a profile and turn it on in CI jobs that are testing branches where
it’s forbidden (e.g. the nightly builds of master.)
Oh, one other concern — how robust is this in the face of poor maintenance? I see a lot of
boilerplate in that .mvn/srcdeps.yaml. If that gets out of date or something is the only
effect that using a src dependency for the affected item doesn't work?
On Jan 25, 2017, at 3:45 PM, Peter Palaga <ppalaga(a)redhat.com>
this is not new to those of you who attended my talk on the F2F 2016 in
Brno. Let me explain the idea here again for all others who did not have
a chance to be there.
Srcdeps  is a tool to build Maven dependencies from their sources.
With srcdeps, wildfly-core can depend on a specific commit of, e.g.,
where aabbccd is the git commit id to build when any undertow artifact
is requested during the build of wildfly-core.
 describes in detail, how it works.
The main advantage of srcdeps is that changes in components can be
integrated and tested in wildfly-core immediately after they are
committed to a public component branch. There is no need to wait for the
Here in the WildFly family of projects, it is often the case that
something needs to be fixed in a component, but the verification (using
bug reproducer, or integration test) is possible only at the level of
wildfly or wildfly-core. Engineers typically work with snapshots
locally, but when their changes need to get shared (CI, reviews) in a
reproducible manner, snapshots cannot be used anymore.
In such situations a source dependency come in handy: it is very easy to
share and it is as reproducible as a Maven build from a specific commit
can be. All CIs and reviewers can work with it, because all source
dependency compilation is done under the hood by Maven.
Developers working on changes that span over multiple interdependent git
repos can thus get feedback (i-tests, reviews) quickly without waiting
for releases of components.
Srcdeps emerged in the Hawkular family of projects to solve exactly this
kind of situation and is in use there since around October 2015.
When I said there is no need to wait for releases of components, I did
not mean that we can get rid of component releases altogether. Clearly,
we cannot, because i.a. for any tooling uninformed about how srcdeps
work, those source dependencies would simply be non-resolvable from
public Maven repositories. So, before releasing the dependent component
(such as wildfly-core) all its dependencies need to be released. To
enforce this, srcdeps is by default configured to make the release fail,
as long as there are source dependencies.
I have sent a PR introducing srcdeps to wildfly-core:
To get a feeling how it works, checkout the branch, switch to e.g.
(that happens to be the commit id of the 1.4.8.Final tag)
and build wildfly-core as usual with "mvn clean install". You'll see in
the build log that undertow is being cloned to ~/.m2/srcdeps/io/undertow
and that it is built there. After the build, check that the
version of Undertow got installed to your local Maven repo (usually
Are there any questions or comments?
P.S.: I will be talking about srcdeps on Saturday 2017-01-28 at 14:30 at
wildfly-dev mailing list
Manager, Senior Principal Software Engineer
JBoss by Red Hat