-
Task
-
Resolution: Done
-
Medium
-
None
-
SIMPLY S6 March 16 - March 30, SIMPLY S7 March 30 - April 13, SIMPLY S8 April 13 - 27, SIMPLY S9 April 27 - May 11, SIMPLY S10 May 11 - May 25, SIMPLY S11 May 25 - June 8, SIMPLY Sprint 12 June 8 - 22, SIMPLY S13 June 22 - July 6, SIMPLY S14 July 6 - July 20, SIMPLY S15 July 20 - Aug 3, SIMPLY S16 August 3 - 17, SIMPLY S17 August 17 - 31, SIMPLY S18 Aug 31 - Sep 14, SIMPLY S19 Sep 14 - Sep 28, SIMPLY S20 Sep 28 - Oct 12, SIMPLY Sprint Oct 13 - Oct 26, SIMPLY S22 Oct 26 - Nov 9, SIMPLY S23 Nov 10 - 24
-
3
We currently build the app using some `-SNAPSHOT` versions of dependencies during development. Modern dependency systems rely on the fact that once an artifact has been released with a version `X`, that artifact can never be changed again: Fetching version `X` of an artifact will always give you the same artifact; if you want to release a new artifact, you MUST increment `X`.
`-SNAPSHOT` versions are a bit of an escape hatch to allow for not having to do dozens of tiny incremental releases during development, where APIs may be changing regularly. The artifacts for `-SNAPSHOT` versions of dependencies may be updated and changed at any time. Developers can specify that they depend on a version `X-SNAPSHOT`, and they'll get whatever was the most recently published `X-SNAPSHOT` artifact at the time they asked for it. The problem with this is that it makes builds non-reproducible; every time you build the project, you might get different artifacts for all of your `-SNAPSHOT` version dependencies.
We should implement the following:
- A build-time check that scans the entire hierarchy of dependencies and, if the current project version is not a `-SNAPSHOT` version, then the project will refuse to build if any of the dependencies have versions that end with `-SNAPSHOT`. This check is not executed if the current project version is a `-SNAPSHOT` version (to allow us to continue to use snapshots during development).
- A policy that we never ever ever deploy `-SNAPSHOT` versions to the Play Store.
Anything specifically released to patrons must come from a tagged version that we can reproduce later.
Requirements:
- Implement build-time checking of -SNAPSHOT dependencies, to ensure builds are reproducible.
- Documentation for our release policy.
Acceptance criteria:
- We demonstrate that CI and local builds will refuse to build with -SNAPSHOT dependencies.
- There is humanly-readable documentation of our release policy in the project's README.md.
Expected issues:
I know we depend on one transitive -SNAPSHOT dependency: The R2 streamer is currently dependent on an EDR fork of nanohttpd that is only available as a snapshot. They need to do a proper release.