Pure Danger Tech


Publish globally, trust locally

27 Mar 2008

At Terracotta we use several dependency management systems. Our main source tree depends on Ivy and our Forge is heavily reliant on Maven.

Right now we’re starting the process towards our next release and got to the point of cutting the release branch. This of course, required our main source build system (using Ivy in this case) to download the Internet from ibiblio and beyond. For some reason, a handful of dependencies are now missing from ibiblio. I’m sure we’ll track it down and get things running in short order, but it’s a few more lost hours and a slight hold on development.

Prior to Terracotta, I worked on and built ground-up several build systems (mostly Ant-based) but had never used a dependency management system before. Since I’ve been here, I’ve done a whole buncha Maven and use our own internal build system on a daily basis. [Urge to rant about Maven fading…fading…rising…fading… :)] I’ve come to believe there’s actually a lot of value in fighting through and understanding your dependencies on a deep basis, actually. When you can just download anything from the net, you don’t bother trying to figure out why the heck you depend spongebob.util-1.9.jar anyways.

I personally have been bitten by the equivalent of the missing or broken Internet-based dependency several times, something I never experienced on my own build systems. Of course, I spent a lot of tortuous hours figuring out how to manage dependencies in my own build system and maintaining them over time, including problems with naming, versioning, integration into IDEs, etc. Clearly everyone has a dependency management problem and you choose whether to loosen your grip and go global or maintain a white-knuckled death grip but take control of your own destiny.

This led me to the thought that there is much good to come from publishing globally. The rapid rise and prominence of public module repositories with a well-defined scheme for jar naming, search, and indexing based on the Maven coordinate model is a freaking god-send. For my money, this is the hands-down best thing to come out of Maven, Ivy, etc. By all means, I want everyone out there to publish modules using these quasi-standards into public repositories and publish their Maven coordinates.

But from a use point of view, I can’t have a build system that depends on the Internet. You have to have a backstop in your organization that can take care of those dependencies in case of net drift or to shadow the net with a trusted local source. So, you really shouldn’t be using Maven without an enterprise or group level repository as well. There are also a number of open source and commercial repository systems that can address security and other issues as well. I haven’t used any of those but I gotta believe they will continue to rise in importance.

My personal belief is that we are currently in a transitional period. I think we’re in a post-Ant world. Don’t get me wrong, I love Ant and I’ve spent a lot of quality time with it. It’s not perfect but it’s a very capable build tool. I think Maven is pointing us in a new direction with two key differences – standard repositories and standard build flows.

I don’t think Maven actually owns the next world. There have been many fine and detailed posts in the last few months about Maven issues and even some admirable people like Don Brown working avidly to fix it. I don’t think I have anything unique to add to those posts – they cover the space pretty well as I’ve seen it. I’m still puzzling on a model that can make our lives better as developers. Any thoughts?