Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Use exact maven versions
See original GitHub issueWhat version of gRPC-Java are you using?
1.38.0
What is your environment?
Maven
What did you expect to see?
Developers and DevOps people that build CI/CD pipelines expect builds to be reproducible and deterministic. If we build a project today or next year (assuming the same exact commit id), we expect the same binary to be built. That is not the case with the grpc maven artifacts.
For example, snapshots are discouraged from being used in production builds because they can be overwritten with newer code or completely deleted; either changing application behavior or breaking the build.
What did you see instead?
When building the project using maven it will reach out across the network to check for a newer version of grpc to build with. This opens the project to builds that are not deterministic.
Steps to reproduce the bug
I have a maven project that uses grpc-okhttp, and I execute mvn clean install. Observe the output contains
[INFO] Building Project 1.0.0
[INFO] --------------------------------[ jar ]---------------------------------
Downloading from atlassian-public: https://packages.atlassian.com/mvn/maven-external/io/grpc/grpc-api/maven-metadata.xml
Downloading from sourceforge-releases: https://oss.sonatype.org/content/repositories/sourceforge-releases/io/grpc/grpc-api/maven-metadata.xml
Downloading from central: https://repo.maven.apache.org/maven2/io/grpc/grpc-api/maven-metadata.xml
Downloaded from central: https://repo.maven.apache.org/maven2/io/grpc/grpc-api/maven-metadata.xml (1.7 kB at 3.3 kB/s)
Downloaded from atlassian-public: https://packages.atlassian.com/mvn/maven-external/io/grpc/grpc-api/maven-metadata.xml (1.7 kB at 2.6 kB/s)
Expected Resolution
Please consider updating this line of code so that it stops wrapping the version with [ ] and use only specific version numbers:
https://github.com/grpc/grpc-java/blob/master/build.gradle#L411
core.version*.value = "[" + core.version.text() + "]"
Instead of [1.38.0] (which causes the network activity), the unwrapped value 1.38.0 is the expected output.
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I can imagine one day they may cause more pain than gain. For example, BOMs have reduced the likelihood of issues and Gradle users don’t seemed to have suffered very often, given the rate of user reports. But yes, it is providing some value.
Do keep in touch if you continue to suffer and if
--offlinedoesn’t work for you. Your use-case is also legit. We just get to continue weighing the costs/benefits.Closing as it seems we’ve come to an understanding, but if something changes comment and we can reopen.
Thanks for finding and sharing that dependency version link. I understand more clearly your point about soft/hard dependencies and the dependency tree. I also appreciate
requireUpperBoundDepsand I’ll try to implement it as well, it looks like the right thing to do.You’ve convinced me that the brackets do serve a functional and required purpose. I’ll work around the network issue using a workaround on my end. I still don’t want it to output the network access during builds.