From: Ian Darwin <<a href="mailto:ian@darwinsys.com">ian@darwinsys.com</a>><br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<SNIP><br>
While I might not have worded it quite that way, I have considered writing a paper with the title "Maven Considered Harmful". But it would be too short to publish as a paper... The main problem is, as Hugo mentioned, dependencies can change without notice and break things on you. You want repeatable builds? Write a build system that saves the complete name and MD5 of every file, and checks every file that it downloads before using it, every time. The OpenBSD (Unix-like system) "ports" mechanism does this for all third-party software, and it therefore has repeatable builds. Maven does not.<br>
</blockquote></div><br>Storing your MD5s will let you know *if* you are repeating a build. It will not (reasonably) let you repeat a build.<br><br>You need some way of identifying the file you want to build *to the revision control system* (so you can download that version) if you want repeatable builds.<br>
<br>That's why I've talked about dates for external build system, which someone astutely pointed out could be an issue because of the many time zones involved, and I believe they discussed some 'pin' notion in mtn. I'm pretty sure every RCS has some way of letting you get an identifier for the version for each controlled file and retrieve that version later.<br>
<br>MD5s sound nice to verify, if you don't trust your revision control system (or perhaps the admins ;-)<br><br>Bobby<br clear="all"><br>-- <br>If it doesn't make you smile, you're doing something wrong.