Introduction and motivation
When I compare the Maven dependency mechanisms with our home-brewn solution in our company then among others one major thing is different: Maven does not know the concept of an artifact life cycle. (At least I do not know about such a mechanism and I do not refer to the build life cycle). Such life cycle status information would allow to extend the dependency management in a new dimension. One could declare whether certain dependencies are actually allowed to be used in a project, enabling effective technology management.
Consider the following sample use cases.
Scenario 1: Flawed versions
It turns out that
my-app-1.4.2.jar contains a serious security issue and is therefore flawed. Clients of this JAR should actually switch to a newer version
my-app-1.4.3.jar which fixes the bug and which is safe to use.
Scenario 2: Decommissioning
Let's assume that
my-app-1.4.2.jar is not supported anymore and projects should actually switch to a new release stream
Scenario 3: Restricted usage
Consider a library which has a restricted set of client projects, e.g. only certain projects are allowed to depend on a specific artifact.
On one hand, this life cycle information could be used to manage a repository in a more restrictive way, which makes it actually possible to perform technology management. On the other hand, when developers try to depend on an artifact which is actually not allowed, Maven could perform checks during the build life cycle and warn the user about inappropriate technology usage (dependency enforcement). Based on a flag the build would either fail or print a warning.
Our solution works as follows. The technology board decides which versions of a dependency are actually allowed and this information is declared in an XML file:
The build output would be as follows (solved with a simple Ant target):
Solution in Maven
Would such an extension make sense in Maven? Software companies definitively have to solve their technology management and if they choose Maven for dependency management they could immediately benefit from such a feature. The question is if the open source community would benefit as well? I would say yes: just consider scenarios 1 and 2 above.
So how would this feature be implemented? I think that the appropriate file would be
Would an additional Maven plug-in be enough to implement the checks? As far as I know there is no XML Schema available yet for
maven-metadata.xml. However, I've seen one here: http://jira.codehaus.org/browse/MNG-3125. The Archiva subproject would probably be the best place to maintain this information because it supports user roles. Archiva could even check for illegal dependencies.