[Nix] Version of maven dependency com.google.code.gson is not locked
#4797
Comments
|
Maven apparently has no complete lock file support for dependencies and specifically transitive dependencies, but dependencies can be manually restricted in the There is Another approach would be to create a Maven repository mirror containing all dependencies that are required for the nix derivation and enforcing the use of that mirror, while disallowing the use of the central Maven repository. This would indefinitely lock all versions, but restrict the flexibility of updating or changing dependencies. Also, other build tools such as Gradle seem to support lock files, though the effort seems quite substantial, considering that the Java tooling is not under frequent development as of right now. Additionally, changing build tools without proper consideration of both build tools capabilities and differences is also very risky, as unforeseen challenges might arise. ConclusionRight now either the dependency locking in What are your thoughts on this? @tothtamas28 @jberthold @palinatolmach @ehildenb |
|
@dwightguth and @Robertorosmaninho, do you guys have a particular opinion on this issue and the potential solutions? |
|
I am in favour of the maven mirror suggestion to address this problem. It will stabilise the versions we have, and I don't see why the dependencies of the K frontend would need upgrades since we don't actively develop new features. The A complete change of the build away from maven makes a lot of sense in the long-term but it carries high risk and does not help for versions before the build system switch. |
#4820) In issue #4797 a problem was observed with nix packaging of Maven projects. In particular, upstream changes in Maven repositories caused the `mvnHash` in our derivation to be invalidated even though nothing changed in our derivation. This also breaks replicability of older derivations. This happened twice in recent times due to [GSON](https://mvnrepository.com/artifact/com.google.code.gson/gson) releasing two new version of their library, as described in the respective issue #4797 from before. Maven does not support locking dependencies and transitive dependencies. Therefore, the following potential solutions/workarounds were proposed: - locking dependencies in a best-effort manner, potentially using the Maven plugin [`dependency-lock-maven-plugin`](https://github.com/vandmo/dependency-lock-maven-plugin) - `dependency-lock-maven-plugin` does not lock dependencies for builds, but rather fails the build if the used dependencies mismatch the ones specified in a lock file, which is impractical for `nix` packaging - creating a Maven mirror that does not change and contains all dependencies required for building K - migrating to a tool such as Gradle that supports proper lock files Migrating to Gradle causes more development effort compared to the other solutions. Locking dependencies in a best-effort way could work good enough when coupled with the lock file generating plugin `dependency-lock-maven-plugin` providing additional verbose information for when things break. The mirror could cause additional maintenance overhead in the future. Considering that the Java code in K is currently not being worked on, a least-effort solution seems more appropriate. Therefore, this pull request introduces the script `update-maven-locks.sh` that uses `dependency-lock-maven-plugin` to generate lock files that are committed to the repository that can be used to determine transitive dependencies that changed version in Maven over time. The plugin is run when building the k nix derivation `k-lock` and lock files can be extracted from the output of the derivation. This is done automatically when running the new script `update-maven-locks.sh`. Additionally, when I was locking the GSON library version, I identified that the K Maven project actually did not update the GSON version being used and that it stayed fixed due to version requirements. Instead, `mvnHash` changing was caused by a `maven-metadata-central.xml` file being included in the offline Maven repository that was generated in nix. This file includes up-to-date information of the respective Maven dependency. Excluding this file actually causes the build to break. In particular, it fails to recognize the GSON library in the Maven repository. So apparently it must be included, though I am not exactly sure why and couldn't find any documentation indicating that this file is necessary for building. I added functionality to provide these files to the Maven derivation in a reproducible manner, i.e. providing the same revision of that file instead of fetching up-to-date version from the Maven repository. This way GSON will not cause the `mvnHash` to break again. I only identified GSON using and depending on this file in the K repository.
|
The pull request #4820 mostly fixes the replicability problem. It introduces an informational lock file that can be used to identify changed transitive dependencies quickly and fixes the replicability issue with the GSON library. Additionally, it was discovered that the GSON issue was caused instead by an updated xml file in the offline Maven repository that contains up-to-date information about all GSON libraries. This file is critical for building the project. Therefore, the pull request added logic to provide this file in a replicable manner instead of fetching the upstream file, which can cause the Should the |
Recently, the
mvnHashin the k nix derivation had to be changed even though nothing changed in the repository. This caused CI to break on pull requests, see here and here.The hash changing is apparently caused by a non-locked version of
com.google.code.gson. In particular, I compared upstream with version k-7.1.211 that was still stored in my nix store. The last change ofmvnHash, except for the recent hash change due to same kind of issue, happened in 7.1.210.Comparing the respective nix derivation outputs showed the following differences:
Previously
Now
This shows that the version of GSON must be locked, otherwise
mvnHashmust continously be updated every time a new version of GSON is released. In addition, it should be validated whether other maven dependencies are not locked as well and could cause the same kind of issue.Non-locked versions also have the major disadvantage that old revisions stop to build successfully, requiring an updated hash. In turn, updating the hash makes the builds not reproducible anymore due to old revisions requiring the use of new versions of dependencies.
The text was updated successfully, but these errors were encountered: