Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a 'bom' to support managing dependencies #1766

Open
mattrpav opened this issue Sep 19, 2022 · 8 comments
Open

Add a 'bom' to support managing dependencies #1766

mattrpav opened this issue Sep 19, 2022 · 8 comments

Comments

@mattrpav
Copy link
Member

No description provided.

@grgrzybek
Copy link
Member

I understand you mean a BOM only with org.ops4j.pax.web.* groupId artifacts, right? Wiithout tests and samples?

@mattrpav
Copy link
Member Author

mattrpav commented Sep 19, 2022
edited
Loading

It should include org.ops4j.pax.web groupId artifacts, and dependencies. Basically, anything listed in a pax-web-* feature, so downstream users can simply reference 'org.eclipse.jetty/jetty-server' and the version is managed.

For example:
jetty-continuation, jetty-deploy, jetty-http, jetty-io, jetty-plus, jetty-proxy, etc

  • org.ops4j.pax.web artifacts
  • org.ops4j.pax.web feature xml
  • dependencies (ie. jetty, tomcat, undertow, etc)

@mattrpav
Copy link
Member Author

Come to think of it, pax-web might need separate boms if there are any overlap of transitive deps for pax-web-jetty vs pax-web-tomcat vs pax-web-undertow.

@grgrzybek
Copy link
Member

And the "dependencies" part is what I was afraid of... Because it'd include JavaEE APIs (even the fundamental one - jakarta.servlet/jakarta.servlet-api - but what if someone wants to use Geronimo/JBoss/SMX/Javax version of it?
I'll check and see where it's heading ;).

@mattrpav
Copy link
Member Author

mattrpav commented Sep 20, 2022
edited
Loading

The pom section used in a bom is dependencyManagement. You can list all the servlet api options without them being transitive.

The dependencyManagement does not mean dependency, it only sets version and scope when referenced by child poms in a dependency section.

See: https://github.com/apache/karaf/blob/main/bom/pom.xml

@grgrzybek
Copy link
Member

yes yes yes, I just work with BOMs for last few years and I know how messy they can be ;)
If Jetty/Tomcat/Undertow bundles bring in their own deps, it's sometimes hard to choose.

I like the clean approach of https://repo1.maven.org/maven2/org/springframework/spring-framework-bom/5.3.23/spring-framework-bom-5.3.23.pom - it lists only own managed dependencies.

@mattrpav
Copy link
Member Author

@grgrzybek what is a scenario that breaks with boms?

If child project imports 2 boms that have different versions, maven will resolve one and the user has the option of using the resolved, or overriding version and scope.

The problem with only using ‘own’ managed deps is that there is now a gap from what is listed in the feature. For building offline repos (ie. pax-web + cxf) requires surgery.

@grgrzybek
Copy link
Member

Yes, I understand. We could start with "project-bom" that lists only Pax Web managed deps and add optional, convenient "all-bom" (or "dev-bom", or "user-bom") that lists current dependencies (for example if there was Jetty BOM, I could use it there.

The point is that I prefer managing my own dependencies than include one BOM. I trust Spring Framework BOM, but for example, Spring Boot BOM is just too much - I want to control more. But that's personal approach.

Let me thing about it - maybe you could create a PR with a suggestion?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grgrzybek @mattrpav