Uploaded image for project: 'SimplyE 2.0'
  1. SimplyE 2.0
  2. SIMPLY-3634

Be strict about -SNAPSHOT versions

XMLWordPrintable

    • SIMPLY S6 March 16 - March 30, SIMPLY S7 March 30 - April 13, SIMPLY S8 April 13 - 27, SIMPLY S9 April 27 - May 11, SIMPLY S10 May 11 - May 25, SIMPLY S11 May 25 - June 8, SIMPLY Sprint 12 June 8 - 22, SIMPLY S13 June 22 - July 6, SIMPLY S14 July 6 - July 20, SIMPLY S15 July 20 - Aug 3, SIMPLY S16 August 3 - 17, SIMPLY S17 August 17 - 31, SIMPLY S18 Aug 31 - Sep 14, SIMPLY S19 Sep 14 - Sep 28, SIMPLY S20 Sep 28 - Oct 12, SIMPLY Sprint Oct 13 - Oct 26, SIMPLY S22 Oct 26 - Nov 9, SIMPLY S23 Nov 10 - 24
    • 3

      We currently build the app using some `-SNAPSHOT` versions of dependencies during development. Modern dependency systems rely on the fact that once an artifact has been released with a version `X`, that artifact can never be changed again: Fetching version `X` of an artifact will always give you the same artifact; if you want to release a new artifact, you MUST increment `X`.

      `-SNAPSHOT` versions are a bit of an escape hatch to allow for not having to do dozens of tiny incremental releases during development, where APIs may be changing regularly. The artifacts for `-SNAPSHOT` versions of dependencies may be updated and changed at any time. Developers can specify that they depend on a version `X-SNAPSHOT`, and they'll get whatever was the most recently published `X-SNAPSHOT` artifact at the time they asked for it. The problem with this is that it makes builds non-reproducible; every time you build the project, you might get different artifacts for all of your `-SNAPSHOT` version dependencies.

      We should implement the following:

      • A build-time check that scans the entire hierarchy of dependencies and, if the current project version is not a `-SNAPSHOT` version, then the project will refuse to build if any of the dependencies have versions that end with `-SNAPSHOT`. This check is not executed if the current project version is a `-SNAPSHOT` version (to allow us to continue to use snapshots during development).
      • A policy that we never ever ever deploy `-SNAPSHOT` versions to the Play Store.
        Anything specifically released to patrons must come from a tagged version that we can reproduce later.

      Requirements:

      • Implement build-time checking of -SNAPSHOT dependencies, to ensure builds are reproducible.
      • Documentation for our release policy.

      Acceptance criteria:

      • We demonstrate that CI and local builds will refuse to build with -SNAPSHOT dependencies.
      • There is humanly-readable documentation of our release policy in the project's README.md.

      Expected issues:
      I know we depend on one transitive -SNAPSHOT dependency: The R2 streamer is currently dependent on an EDR fork of nanohttpd that is only available as a snapshot. They need to do a proper release.

            markraynsford Mark Raynsford
            markraynsford Mark Raynsford
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: