[keycloak-dev] Feedback about our BOMs

Stian Thorgersen sthorger at redhat.com
Mon Mar 13 03:35:57 EDT 2017


Makes sense. Here's fix:
https://github.com/keycloak/keycloak/pull/3942

On 10 March 2017 at 17:50, Sebastien Blanc <sblanc at redhat.com> wrote:

> Hi,
>
> One of the requirement to get added on the start.spring.io website is to
> have BOMs and that is what we did. But now they are reviewing our request
> and I got this as remark :
>
> "
> The version.keycloak version in your bom doesn't look right to me. If you
> import a bom of version A.B.C it makes no sense to ask for D.E.F. (a
> dependency may have been added/remove in that version). I'd rather
> hard-code the version in each dependency (that will be updated by the
> release process the same way as the property anyway). Also, that bom is a
> child of your main pom which is usually a bad idea. I can see that you have
> a repositories definition there that is going to pollute the Maven build.
> Worse, you inherit from the dependency management of the whole
> infrastructure (including Jackson, log4j and a bunch of 3rd party
> libraries). We can't accept a bom that does that as it conflicts with
> Spring Boot's dependency management.
> "
>
> Does that make all sense to you ? TBH I'm not a BOM expert but looks like
> it make sense (at least for not using the keycloak parent pom)
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list