Problem Description
Consider the case maven is being used on hudson.
Now someone took checkout of a project,modified some files but accidently used same artifact id and version number(non snapshot).
He/She then build this project on hudson and did maven install.The modified artifact is now in hudson .m2 . Any other project which depent on it will be build with modified artifact. No one finds this out if compilation doesn't fail. Even though correct artifact resides in central repository it is never used because modified one is picked up from .m2 when hudson starts building.
So i am looking for a way to prevent this accidental human error.
I have already checked that there is no way to force update non-snapshots versions from central repository as they are meant to be immutable.
Purging central repository or using separate repository for each job on hudson will result in increased build times & disk space usage respectively.
Any help would be appreciated.
By definition, snapshots are mutable, releases are immutable. This is why Nexus makes you store them separately because usually you don't care if you lose snapshots, but you will care if you lose releases. It makes snapshot cleanup much easier to deal with that way.
A Maven snapshot is a special version of a Maven package that refers to the latest production branch code. It is a development version that precedes the final release version. You can identify a snapshot version of a Maven package by the suffix SNAPSHOT that is appended to the package version.
The first place that Maven looks for artifacts is in the local repository, which is the local cache where Maven stores all of the artifacts it has downloaded or found elsewhere. The default location of the local repository is the . m2/repository/ directory under the user's home directory.
I don't think you're going to find a way to stop an install from overwriting an artifact. A repository server should have a setting to prevent deploying an updated release artifact though. See, for example, "How do I disable artifact redeployment" for Nexus.
Here is how we manage versions in our project:
We work on a SNAPSHOT
version. On Jenkins, we have a Fast Build job that builds and tests this application, but fails if the version is not a SNAPSHOT
. This is done by a custom enforcer (this is the opposite of the require release version enforcer).
When we want to make a release, we use a Jenkins job for that. Using the parameterized build, and Maven release plugin, the person who is in charge of doing the release will just indicate the version of the release (the stable version), the next SNAPSHOT
version, as well as the name of the SCM tag. Thus, only Jenkins will define a stable version and the developers will always work on a SNAPSHOT
code.
But of course, this does not prevent the developers to make what he wants on his local machine. But we always consider one trusted place: the Jenkins server. It works on my machine is never a good answer to a problem ;o)
There was no direct way to solve this but we solved this inderctly by writing a cron-job which runs every five minutes and marks all the jars which are NON-SNAPSHOT as read only in the local repository of Hundson . In this way when some project in Hudson tries to overwrite it my mvn install or mvn deploy it fails in overwiriting the artifacts as they are readonly.
Any new artifacts to be realeased can easily be written. Once written within next five minutes script marks them as read only.
Here is code for unix script permission-handler.sh
#!/bin/bash
cd ~/.m2
date 2>&1>> permission-handler.out
find . -name '*jar' -type f | grep -v 'SNAPSHOT' | xargs chmod -vc 444 2>&1>> permission-handler.out
chmod 777 permission-handler.out
Logging is also handled to see which all artifacts have been marked as released only.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With