The question came up again on IRC yesterday about how to best handle continuous integration and whether we can use snapshot dependencies in the build. I'd like to discuss this and hopefully come up with some best practices for AS 7. First I will try to define the problem as I understand it, and then we can discuss how to hande it.
Defining The Problem
Maven uses a concept of a snapshot dependency where the most recent deployment of the artifact is downloaded from the repository. The problem is that the specific dependency versions are not tracked in the POM in the repository. So let's say we have three projects A, B, and C where A depends on B which depends on C.
A:1.0-SNAPSHOT -> B:2.0-SNAPSHOT -> C:3.0-SNAPSHOT
First, project C is built and deployed to the repository (build # 1 of C). Next, project B is built and deployed to the repository (build # 1 of B). B has a dependency on C:3.0-SNAPSHOT in the POM, but B is actually dependent on build number 1 of C. Next, project A is built in the continuous integration server (Hudson) and has an failure during testing. The real dependency tree looks like
A:1.0-SNAPSHOT -> B:2.0-SNAPSHOT-build-1 -> C:3.0-SNAPSHOT-build-1
Next, project C is modified and built and deploy again (build # 2 of C). A developer of project A checks out the code and tries to reproduce the error from the Hudson build. Instead of seeing the expected error, the developer of project A sees a new error introduced by C:3.0-SNAPSHOT-build-2. The developer is unable to reproduce the error seen in the Hudson build, because the build no longer contains any reference to C:3.0-SNAPSHOT-build-1. In a project with a medium to large dependency tree it is not possible/practical to track down the original dependency tree used during the Hudson build.
As far as I can tell the Maven project itself does not deal with this problem. For the Maven project it seems to be uncommon that a new snapshot dependency deployment will prevent the ability to reproduce errors. There are a few reasons why this doesn't affect the Maven project the same way as it affects the JBoss AS project:
- Smaller dependency tree
- Less frequent snapshot deployments
- more stable set of dependencies (slower changes)
- Continue the practice of not allowing SNAPSHOTs in the dependency tree.
- Use normal Maven SNAPSHOTs with the risk of not being able to reproduce errors in some situations
- Find a way to lock snapshots to their timestamped versions during deployment
- Use the versions-maven-plugin to lock and unlock snapshots before deployment
- Always use timestamped snapshots and add something to the versions-maven-plugin to automate updating to the latest