March 27, 2009

Maven Repositories: define in POM or settings?

If you are using Maven for more than just playing, you certainly have a repository Manager installed to both proxy artifacts downloaded from public repositories, and host your own artifacts to make them available to other team members and teams. (If you really really don't have one yet, consider using Nexus, an open source Maven repository manager created by Sonatype.)

Well, so you use a repository manager. Now, you need to tell Maven to use it to download all the missing artifacts. Moreover, as an organization, you usually want to control where the artifacts are downloaded from. This means you need to make sure that all developers are using the identical set of repositories for all the projects.

There are two placed you could use to configure your repositories: in the project's POM, or in the <settings> element on the settings.xml file. This post will discuss both ways and tell you which one you should use ;-)

The POM


The "innocent way" is to add a definition like this to your POM:

<repositories>
<repository>
<id>internal</id>
<name>Company internal repo</name>
<url>http://your.company.org/nexus/content/groups/public</url>
<releases>
<enabled>true</enabled>
<updatePolicy>always</updatePolicy>
<checksumPolicy>warn</checksumPolicy>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
Maven uses all declared repositories to find missing artifacts. If it can't find what it's looking for, Maven will also fall back to the repository central which is defined in the built-in parent POM. However, this is usually not what you want; instead, all artifacts should be proxied by your repository manager.

This can be prevented by "overloading" the central repository with your own repository manager, i.e. you just add a definition with <id>central</id>.

When using a central repository manager, the definition of repositories should be the same for all your projects. This is usually done by putting this stuff to a company's base POM. But... if someone is starting in a clean environment, Maven will have to know where the repository is to find the project's parent POM, where it will find where the repository is... you're stuck.

Moreover, any POM that is included by transitive dependencies may specifiy additional repositories which are not redirected like the central repo. These external repositories are used by Maven to find all dependencies, even your internal ones that for sure are not hosted there; and you still do not really control where the artifacts are coming from.

Hence, using POM to define your repositories does not really solve any problem. Just don't do that!

The Settings


So, we end up with the alternative and recommended way of defining your repositories: the settings.

To really make sure that all developers and all projects are using the identical set of repositories, you should use mirrors to tell Maven to redirect all artifact requests to your internal repository manager.

Both the mirror and repository settings can be defined in the settings.xml file. I think I will do another post to explain what a good setup would look like...

There are two locations for settings.xml file:

  1. the Maven installation at $M2_HOME/conf/settings.xml
  2. the user's local settings: ${user.home}/.m2/settings.xml
Both can contain the same set of definitions. So, which one to use?

Actually, both locations require the Maven user (your team members) to manually do some configuration in their setting file. This is general not preferred for the known reasons: everybody needs to do this manually, no automatic update if settings change later on, unexpected behaviour when someone forgets to adopt his/her file etc.

The only way to avoid these drawbacks is to avoid all manual editing work, i.e. provide a central version of the settings file that is checked in to your sourcecode management system (SCM). This can't be done for the second option (user's settings) but it can be done for the first (installation settings) – if you put Maven installation under source control.

This sounds a bit strange at first (after all, it's an executable!) but is really clever IMO, for the following reasons:

  • You make sure everybody uses the same version of Maven; no more Maven version dependencies!
  • You can use a relative path from your projects to the Maven installation if they are part of the same source repository, for instance in batch files, Eclipse launch configurations etc.
  • The correct settings are applied automatically and may be updated in the repository without requiring any editing by the developers (except for updating).
  • Maven installation is only around 2 MB of size, which is not really an issue for any SCM.


The Bottom Line


To summarize, by putting your Maven installation in your SCM as part of your project environment, and using central settings to configure Maven to use your repository manager, you reduce dependency to local environment. And stabilizing your builds is always a good thing!

4 comments:

  1. You say settings is recommended, but I don't see any support for that assertion. For my money, the project POM is better, as I get the settings automatically when I checkout, without introducing the opportunity for error by requiring a local configuration change.

    ReplyDelete
  2. Christophe, you're right on. A sample correct settings.xml is shown here:http://www.sonatype.com/books/nexus-book/reference/maven-sect-single-group.html

    Jason Lee, I also wrote on this recently, and provide support for my reasons. You can see the entry here: http://www.sonatype.com/people/2009/02/why-putting-repositories-in-your-poms-is-a-bad-idea/

    ReplyDelete
  3. Gents, sorry for the late answer, I have been sick for some weeks :-(

    @Jason, I thought I gave the reasons I think the POM is not the right place, in short: redundancy -- you'll have to override the central repo in every POM if you don't want to have this deadlock; unstable -- does not prevent Maven from loading dependencies from external repos defined in any POM included transitively. Moreover, if you put Maven (including its settings.xml) to SCM, you also don't rely on local configuration. That's working really great for us in a big number of projects, but of course your mileage may vary...

    @Brian, thanks for the link, I'm glad to see your post suggests a similar approach. I really should read the Sonatype Blog more regularly ;-)

    ReplyDelete
  4. I noticed that when there is no repository configured in the pom.xml, then Maven
    does not even look at the settings.xml, to find a entry, for example.

    ReplyDelete