Where is the best place to specify maven repositories, pom.xml or settings.xml

maven-2

Where is the best place to specify required repositories for maven projects, pom.xml or settings.xml? What are the pros and cons of each location? What is best practice?

It seems to me that defining the repositories in the POM is better for a number of reasons:

Reproducibility: The dependent artifacts are coming from a known location that is explicitly declared in the POM. There is also less opportunity for a user's misconfigured repositories to cause problems.
Portability: This POM will build on anyone's machine with maven installed. There are no additional requirements on additional user configured repository settings.
Ease of use: It's easier for new developers to retrieve and build the project because there is less configuration to setup.

Perhaps a con is that if the location of the repository changes in the future, proxies need to be installed or patch releases of old software need to be released specifying the new repository locations (or .m2/settings.xml can always provide additional repositories as a last resort). However, this seems like a necessary ramification of good reproducibility and portability in release management rather than a con.

Any other thoughts?

Best Answer

Where is the best place to specify required repositories for maven projects, pom.xml or settings.xml? What are the pros and cons of each location? What is best practice?

I'd personally define the repositories required by a particular project in the project pom.xml because it keeps the build portable. The settings.xml file should be used for user specific or secret things only in my opinion. No really, asking the user to add repository locations, even if this is properly documented, somehow defeats one of maven's feature (transparent dependency handling) and I don't like this idea.

The only "good" use case I can think of for using settings.xml to deal with repositories is when you have a corporate repository and want Maven to use this repository instead of public ones. For example, to avoid connections to any public repository, you would declare the corporate repository as a mirror of all of them:

<settings>
  ...
  <mirrors>
    <mirror>
      <id>proxy-of-entire-earth</id>
      <mirrorOf>*</mirrorOf>
      <name>Maven Repository Manager running on repo.mycompany.com</name>
      <url>http://repo.mycompany.com/proxy</url>
    </mirror>
  </mirrors>
  ...
</settings>

Related Solutions

Java – How to tell Maven to use the latest version of a dependency

NOTE:

The mentioned LATEST and RELEASE metaversions have been dropped for plugin dependencies in Maven 3 "for the sake of reproducible builds", over 6 years ago. (They still work perfectly fine for regular dependencies.) For plugin dependencies please refer to this Maven 3 compliant solution.

If you always want to use the newest version, Maven has two keywords you can use as an alternative to version ranges. You should use these options with care as you are no longer in control of the plugins/dependencies you are using.

When you depend on a plugin or a dependency, you can use the a version value of LATEST or RELEASE. LATEST refers to the latest released or snapshot version of a particular artifact, the most recently deployed artifact in a particular repository. RELEASE refers to the last non-snapshot release in the repository. In general, it is not a best practice to design software which depends on a non-specific version of an artifact. If you are developing software, you might want to use RELEASE or LATEST as a convenience so that you don't have to update version numbers when a new release of a third-party library is released. When you release software, you should always make sure that your project depends on specific versions to reduce the chances of your build or your project being affected by a software release not under your control. Use LATEST and RELEASE with caution, if at all.

See the POM Syntax section of the Maven book for more details. Or see this doc on Dependency Version Ranges, where:

A square bracket ( [ & ] ) means "closed" (inclusive).
A parenthesis ( ( & ) ) means "open" (exclusive).

Here's an example illustrating the various options. In the Maven repository, com.foo:my-foo has the following metadata:

<?xml version="1.0" encoding="UTF-8"?><metadata>
  <groupId>com.foo</groupId>
  <artifactId>my-foo</artifactId>
  <version>2.0.0</version>
  <versioning>
    <release>1.1.1</release>
    <versions>
      <version>1.0</version>
      <version>1.0.1</version>
      <version>1.1</version>
      <version>1.1.1</version>
      <version>2.0.0</version>
    </versions>
    <lastUpdated>20090722140000</lastUpdated>
  </versioning>
</metadata>

If a dependency on that artifact is required, you have the following options (other version ranges can be specified of course, just showing the relevant ones here):

Declare an exact version (will always resolve to 1.0.1):

<version>[1.0.1]</version>

Declare an explicit version (will always resolve to 1.0.1 unless a collision occurs, when Maven will select a matching version):

<version>1.0.1</version>

Declare a version range for all 1.x (will currently resolve to 1.1.1):

<version>[1.0.0,2.0.0)</version>

Declare an open-ended version range (will resolve to 2.0.0):

<version>[1.0.0,)</version>

Declare the version as LATEST (will resolve to 2.0.0) (removed from maven 3.x)

<version>LATEST</version>

Declare the version as RELEASE (will resolve to 1.1.1) (removed from maven 3.x):

<version>RELEASE</version>

Note that by default your own deployments will update the "latest" entry in the Maven metadata, but to update the "release" entry, you need to activate the "release-profile" from the Maven super POM. You can do this with either "-Prelease-profile" or "-DperformRelease=true"

It's worth emphasising that any approach that allows Maven to pick the dependency versions (LATEST, RELEASE, and version ranges) can leave you open to build time issues, as later versions can have different behaviour (for example the dependency plugin has previously switched a default value from true to false, with confusing results).

It is therefore generally a good idea to define exact versions in releases. As Tim's answer points out, the maven-versions-plugin is a handy tool for updating dependency versions, particularly the versions:use-latest-versions and versions:use-latest-releases goals.

How to maven be used in a continuous integration situation to install versioned artifacts in the repository

Sounds like you want to build SNAPSHOT versions with unique versions.

So, in your POM declare the version as:

<version>#.#.#-SNAPSHOT</version>

Then, in the distributionManagement section of your POM, enable unique versions for the snapshotRepository via (see Maven's POM reference on this):

<snapshotRepository>
  <uniqueVersion>true</uniqueVersion>
  <id>your-snapshot-repo-id</id>
  <name>Your Snapshots</name>
  <url>http://your-snapshot-repo-url/maven</url>
</snapshotRepository>

FYI, note that Maven conventions recommend versions be declared as major.minor.revision. So, 1.0.25 instead of 1.0.0.25. If you're able to use this versioning scheme, things will work more smoothly in a Maven world.

Best Answer

Related Solutions

Java – How to tell Maven to use the latest version of a dependency

How to maven be used in a continuous integration situation to install versioned artifacts in the repository

Related Topic